You may want to change your passwords....

[USMC2145]

Major password leak.

https://www.yahoo.com/news/10-billion-passwords-leaked-hacker-211209320.html

[3LUE]

1 hour ago, USMC2145 said:

Major password leak.

https://www.yahoo.com/news/10-billion-passwords-leaked-hacker-211209320.html

Thanks for the heads-up. I guess someone found the post boring. It is people like that who make things easy for hackers. 

[Tpaktop2_1 NA]

When changing the password, don't go to the extreme like this fellow

Engage!

[Justin_Simpleton]

22 minutes ago, 3LUE said:

Thanks for the heads-up. I guess someone found the post boring. It is people like that who make things easy for hackers. 

I found the post boring because I have heard this story so many times over the decades.

"The danger is that many people use very common passwords or if they're using a more difficult password or passphrase, they use the same one for multiple accounts, said Augenbaum. When those passwords are compromised, hackers can get into multiple accounts, he said."

No, the danger does not lie in the use of common passwords.  The danger is spreading the myth that hackers will do ... something. Rarely discussed is what that something is.  So, this article does not tell me why hackers would spend any time rooting through my accounts to find ... what?

 

[CFagan_1987]

2 hours ago, USMC2145 said:

Major password leak.

https://www.yahoo.com/news/10-billion-passwords-leaked-hacker-211209320.html

Is there a list of affected websites?

[Wolfswetpaws]

4 minutes ago, Justin_Simpleton said:

I found the post boring because I have heard this story so many times over the decades.

"The danger is that many people use very common passwords or if they're using a more difficult password or passphrase, they use the same one for multiple accounts, said Augenbaum. When those passwords are compromised, hackers can get into multiple accounts, he said."

No, the danger does not lie in the use of common passwords.  The danger is spreading the myth that hackers will do ... something. Rarely discussed is what that something is.  So, this article does not tell me why hackers would spend any time rooting through my accounts to find ... what?

 

Well, they find uses for it ...

https://www.pbs.org/newshour/science/heres-how-much-your-personal-information-is-worth-to-cybercriminals-and-what-they-do-with-it

https://www.creditkarma.com/id-theft/i/how-hackers-use-your-information

https://www.experian.com/blogs/ask-experian/what-do-hackers-do-with-stolen-information/

 

[Justin_Simpleton]

The links @Wolfswetpaws provided above are pretty much the same information I've been seeing over the years.  The information described as useful to hackers for primarily ID theft, is the same information that each and every app, website, etc. requires (usually minus the SSN).  When you read through the terms of acceptance these sites say they will share information with third parties who may share with other third parties and most importantly, your data will be safe.  So, your name, address, phone number, and email address are already out there in the www

I always find it strange that applications such as wows and autocad do not permit you, the user, to see what you type in for your password.  It's as if the assumption is that some jerk/hacker is looking over your shoulder.  Is this a real thing?

Then there is the Microsoft flash panel that pops up asking for your password.  There is no way to know what application is asking for the password.  I always have to assume it's Microsoft.

Back in the day I found out that my anti-virus software was the one giving me warnings and bogging down my computer; even after uninstall.  I had to go through the registry to remove every call for that program to execute.  Afterwards, the computer worked flawlessly till obsolescence. 

So, now I'm skeptical.  I don't believe the computer industry cares about the individual's privacy or safety.

I guess this topic hit a nerve.

[Slammer58]

There are websites you can enter you email/phone to see if they are involved in a leak.

https://cybernews.com/personal-data-leak-check/?utm_source=convertkit&utm_medium=email&utm_campaign=🚨 10B passwords leaked - 14374777

https://haveibeenpwned.com/?utm_source=convertkit&utm_medium=email&utm_campaign=🚨 10B passwords leaked - 14374777

Both of the above sites came from a recent Kim Kommando newsletter/link.

https://www.komando.com/news/security/hackers-just-stole-10-billion-unique-passwords/

[ArIskandir]

When your online digital 'signature' is limited to Game passwords for free accounts, mail accounts and a non monetized YT accounts... 😂 They can hack all they want

[HamptonRoads]

 

 

[Navalpride33]

Well... This is not as interesting as two Brits literally embarrassing, the C I A director by hacking to his personal and work accounts.

Here's the thing.. How much of a target am I??

Am I famous???

• Did I partake in Ashley Madison site and then became a Youtuber? Nope

Am I popular???

• I dont think so.

Are the sites they have access too have any value or assets tied to them?

• Negative ghost rider.

IMO, this appears to be a bunch of cyber vigilantes sticking it to the corporation. This is not the first or the last time this will happen.

I dont think (I maybe wrong) Hackers themselves will do something with your information. But Now that its in the open... I dont have the same conviction for the general public.

The Hackers I'm not worried about. If anything they're proving yet again, you can't trust corporations with your data. ( ala Ashley Madison).

Now I have to worry about the other nefarious actors who are up to no good.. Then again I think Im safe because I'm not famous nor popular to warrant attention.

But if you're in the public spot  light... Be afraid, Be very afraid and protect yourself at all times.

[AdmiralThunder]

I am dealing with a hacking incident right now and it sucks.

A website client of mine had his personal Facebook acct hacked which is tied to his business one. It has been a NIGHTMARE.

The hacker has ripped people off posing as my client and Facebook has been ZERO help.

I finally had my client go to the Police and report it as identity theft because we were getting run around in circles with Facebook. All of their recovery processes end up allowing the hacker to cut us off and keep us locked out.

We have managed to get them to disable it for now as I got a bunch of his FB friends to report the site but I have no clue if we can keep it shut off? Facebook has NO contact avenue and they won’t even talk to the Police.

Just a nightmare. I have been dealing with this mess all week. Next step is lawyers to make sure it is shutdown.

Hackers should be castrated with a dull butter knife. 🤬🤬😩

Edited July 13 by AdmiralThunder

[ArIskandir]

38 minutes ago, AdmiralThunder said:

Hackers should be castrated with a dull butter knife. 🤬🤬😩

My first reaction was Facebook was who first deserved that fate....

Edited July 13 by ArIskandir

[Daniel_Allan_Clark]

44 minutes ago, AdmiralThunder said:

Hackers should be castrated with a dull butter knife. 🤬🤬😩

Perhaps you get your lawyers to convince the police to charge Meta for aiding and abetting the identity theft.

[SunkCostFallacy]

Sorry this is ludicrously long but the insomnia is upon me.

 
Years ago I was a member of a small IT department working for (what was then) a leading edge company that provided scientific consulting services in a specific field. They were THE goto organisation for that stuff in the country. As a result a lot of the data they worked with was, at the very least, commercial-in-confidence and some of the stuff had an actual military security classification of secret. That meant that the only people who were permitted to access it had to have a security clearance of Top Secret or above. Conveniently I had such a clearance so I was the only person in IT who had access to the requisite file share.
 
We had an employee portal by which certain specific staff could VPN in to access a virtual desktop remotely and the security on it was tight. 2FA at a time when that sort of thing was only just coming in to use in the back end of banks levels of leading edge.
 
Everything was great until the dreaded change in management took place, and the new managing director had the "must grow" mentality. Long story short ... the company expanded hugely and the new employees were, let's just say, not the best in the field. They wasted a ton of money trying to open an office in a country which is notoriously corrupt, lost a few contracts because they were trying to do too much with sub-par employees ... anyone who's been present at such a debacle knows the whole routine quite well I'm sure.
 
And so, as is always the case, the time for layoffs arrived. And for reasons that only EVER make sense to bean counters they laid off the most highly paid employees. And so, I took my (very substantial) redundancy payout and was walked off the site. You always walk the guy who has the domain password off the site immediately because, if he's pissed off, he could easily waste the entire place with a few commands.
 
Eighteen months down the track:
 
A security audit reveals that they have removed the heavy security on the secure file share and now everyone in the company can get at it with a little effort, have given EVERYONE access to the VPN and they have OUTSOURCED network management. The outsourced network management have, geniuses that they are, misconfigured the employee portal so that you can bypass the 2FA easily and the security logs show that several IPs from outside the country have been doing so at strange hours during the day.
 
Result: The company lost all their government and military contracts and the word got around and they lost a lot of other contracts. Effective end of company.
 
The point of that diatribe (which is too long but I was on a roll) is that no matter how careful YOU are with your security ... unless the IT department at the other end is equally careful and competent there is a very good chance that your data is already accessible to whoever wants it anyway. So unless there's a REALLY good reason ... don't give them your REAL information. A part of your own security, these days, is "Should I really give these incompetents my X" where X might be your phone number, address, date of birth.
 
Sometimes you have to ... but for sites like Facebook and X and the like, unless it's for business ... is it REALLY worth it?
 
Food for thought.

[AdmiralThunder]

29 minutes ago, SunkCostFallacy said:

Sorry this is ludicrously long but the insomnia is upon me.

 
Years ago I was a member of a small IT department working for (what was then) a leading edge company that provided scientific consulting services in a specific field. They were THE goto organisation for that stuff in the country. As a result a lot of the data they worked with was, at the very least, commercial-in-confidence and some of the stuff had an actual military security classification of secret. That meant that the only people who were permitted to access it had to have a security clearance of Top Secret or above. Conveniently I had such a clearance so I was the only person in IT who had access to the requisite file share.
 
We had an employee portal by which certain specific staff could VPN in to access a virtual desktop remotely and the security on it was tight. 2FA at a time when that sort of thing was only just coming in to use in the back end of banks levels of leading edge.
 
Everything was great until the dreaded change in management took place, and the new managing director had the "must grow" mentality. Long story short ... the company expanded hugely and the new employees were, let's just say, not the best in the field. They wasted a ton of money trying to open an office in a country which is notoriously corrupt, lost a few contracts because they were trying to do too much with sub-par employees ... anyone who's been present at such a debacle knows the whole routine quite well I'm sure.
 
And so, as is always the case, the time for layoffs arrived. And for reasons that only EVER make sense to bean counters they laid off the most highly paid employees. And so, I took my (very substantial) redundancy payout and was walked off the site. You always walk the guy who has the domain password off the site immediately because, if he's pissed off, he could easily waste the entire place with a few commands.
 
Eighteen months down the track:
 
A security audit reveals that they have removed the heavy security on the secure file share and now everyone in the company can get at it with a little effort, have given EVERYONE access to the VPN and they have OUTSOURCED network management. The outsourced network management have, geniuses that they are, misconfigured the employee portal so that you can bypass the 2FA easily and the security logs show that several IPs from outside the country have been doing so at strange hours during the day.
 
Result: The company lost all their government and military contracts and the word got around and they lost a lot of other contracts. Effective end of company.
 
The point of that diatribe (which is too long but I was on a roll) is that no matter how careful YOU are with your security ... unless the IT department at the other end is equally careful and competent there is a very good chance that your data is already accessible to whoever wants it anyway. So unless there's a REALLY good reason ... don't give them your REAL information. A part of your own security, these days, is "Should I really give these incompetents my X" where X might be your phone number, address, date of birth.
 
Sometimes you have to ... but for sites like Facebook and X and the like, unless it's for business ... is it REALLY worth it?
 
Food for thought.

I advised against all the social media sites for my client actually. I was very vocal about not doing Facebook especially. I told him you have an actual business website you don't need that other stuff IMHO. I personally won't go to a business social media site. I will only go to stand alone sites.

I am against social media mainly because it is such a security risk (hello look at the mess I am in with this hacked site - OY!) not to mention a money pit paying me to keep them updated. But, everyone feels compelled to do social media these days so the client insisted on it. I was able to limit it and talked my client into the fewest possible sites that had some relevance to his business vs the huge list he gave me but in the end you have to do what they want. 

What makes me cringe is he wants me, once this hacking mess is resolved, to start a new Facebook page for him personally and his business. OMG help.

[Wolfswetpaws]

34 minutes ago, SunkCostFallacy said:

but for sites like Facebook

Several years ago, Facebook implemented a policy change that required people to select one of three options.
1.  Verify their user-name with a bona-fide Identification.  Then they could continue using that user name with their facebook profile remaining "private".
(This severely impacted people who had created names and were not using their real name.  Some of whom were using their user name as a "stage name" for the purposes of being a show-business performer and etc. & etc.)
2.  Make one's profile "public".  Content of that facebook profile could be viewed by anyone.
3.  Face the deletion of their account.

I had what I thought was a cool username and didn't want to give it up and didn't want to provide an I.D.
As you can imagine, my profile was deleted. 
Some friends told me they could see my posts disappear in real-time as they looked at content I'd created or posted.

I had to create a new profile using my real name, (to comply with facebook's policy requiring people to use real-names or provide documentation about who really owns the account which can use a fake name and exist only as a publicly viewable facebook page).

I haven't looked at the policy or EULA/TOS for facebook in the years since that event.
But, that event worked like a "purge", from what I can remember.

[SunkCostFallacy]

On 7/14/2024 at 9:56 AM, AdmiralThunder said:

I advised against all the social media sites for my client actually. I was very vocal about not doing Facebook especially. I told him you have an actual business website you don't need that other stuff IMHO. I personally won't go to a business social media site. I will only go to stand alone sites.

I am against social media mainly because it is such a security risk (hello look at the mess I am in with this hacked site - OY!) not to mention a money pit paying me to keep them updated. But, everyone feels compelled to do social media these days so the client insisted on it. I was able to limit it and talked my client into the fewest possible sites that had some relevance to his business vs the huge list he gave me but in the end you have to do what they want. 

What makes me cringe is he wants me, once this hacking mess is resolved, to start a new Facebook page for him personally and his business. OMG help.

 

I believe you mate ... I'm certainly not suggesting that you are providing poor service to your clients.

There comes a time when you can advise until you're blue in the face, but your boss/client just won't listen and the best you can do is just try to mitigate the likely damage.

On 7/14/2024 at 10:08 AM, Wolfswetpaws said:

I had to create a new profile using my real name, (to comply with facebook's policy requiring people to use real-names or provide documentation about who really owns the account which can use a fake name and exist only as a publicly viewable facebook page).

It's a no-win situation isn't it?

Give all of your details to a company which is known for selling it's users private data and for inadequate security, or be disconnected at a time when more and more interaction is taking place over social media.

I'm afraid it's going to get markedly worse in the future.