Goat Day #18: Pwned
11Once upon a time, pwned used to be a gaming term for “dominiated” etc. However, now there is a site out there called “Have I Been Pwned”. This site checks your email to see if it’s been compromised in any data breaches. I have monitoring through work, which seems to alert me of data breaches I’ve been affected by almost every month.
After getting a flood of “Suspicious login attempt” emails over the past week from various companies, I finally checked the above site, and sure enough, my email is on the list, in more than one breach (10 actually). Now I have to go try to remember every single site I signed up for the the past 10 years that could possibly be using the same password.
So far I haven’t found any unusual banking activity, but the latest alert I got came from Paypal, and the info I registered with isn’t valid anymore, so that’s going to require a phone call. Fixing this is going to suck, but I’m glad a lot of companies recognize the activity as fraudulent. Most of these accounts are old, when once upon a time it was okay to use the same password across a bunch of sites. My guess is any site I may be compromised on has expired credit card info anyways, so it could be worse, but it still isn’t fun.
Anyways, have you been pwned? Seen any issues after a data breech? Had your identity stolen, or otherwise been hacked in general? It’s possible you have, and don’t even know it.
- 11 comments, 14 replies
- Comment
If so am unaware.
/giphy fingers crossed
I’m on more than one list too. Fortunately I’d stopped reusing passwords by then, with the possible exception of MySpace (but does anyone care about MySpace anymore?).
No ID theft (yet). But I froze my credit reports a while ago just to be safe.
Yup. Been using that site for a while and it has flagged me on more than one occasion. I have a spread sheet with sites and log ins where I have 136 for me and 21 for my kid that is worth me keeping track of. No idea how many more she has. Makes it easier to remember all one’s accounts and then I can sort on user name or password or whatever to fix these issues. Of course I am screwed if my computer is hacked and someone makes off with that spreadsheet…
What I found entertaining is that I got a notification from one site that someone from India had been trying to log into one of my accounts (was flagged by them a while back and had changed the password) repeatedly.
@Kidsandliz I’ve been locked out of my bank account a couple of times on account of too many password failures — and I knew I wasn’t even using the site at either time, let alone muffing the password. (LastPass remembers passwords for me, so muffings rarely happen).
Always wonder if it’s some clueless person trying to log into their account but getting the user ID wrong.
@TheFLP +1 for LastPass. ProTip: use “identities” for different devices/computers. That way your tablet can still use LastPass but you can only give it access to your wifi and netflix passwords.
Works great for kids devices too (again, use identities!) and you have their passwords to recover or login to a school account from somewhere. And can decide which accounts you want to “share” with them.
Also, separate passwords for every account is the best way to go. A breach at one tells them nothing about any other account’s password.
Also, you should have a separate private email that you use as a recovery email account for LastPass and for your primary email account you use for websites (e.g. Gmail account recovery email)
In addition to two-factor (Authy, Authenticator, and SMS text codes).
Remember, if your phone has access or authenticates you to your email and bank accounts, then dont forget that a stolen phone is also a world of hurt to undo.
Get a set of one-time passwords and put those in a safe place too. In case you die with your phone, your surviving family can access your accounts to clean up the mess that results when people die IRL and they are locked out of bank accounts, retirement accounts, can’t pay bills online, etc.
I backup my LastPass by regularly exporting to a small thumbdrive (with a separate password protected VeraCrypt encrypted drive mounted - the thumb drive has a copy of the VeraCrypt software too.) kept in a safe location, and make copies for the safe deposit box at the bank (registered to my trust, or TOD (transfer-on-death), or co-owned joint with a spouse, since the bank will seal it upon my death to make sure my estate goes through probate), and a copy to a trusted relative. And they have an instructions envelope on how to load it and that password (on a separate paper so I can change it).
@mike808
After my Amazon account got hacked, I moved to LastPass for a while.
I now use Enpass, with my files backed up to nextCloud.
@mike808 I haven’t gotten paranoid enough (yet) to maintain separate accounts (aside from having one for work and one personal). But I use two-factor authentication and it’s all buried behind multiple passwords and Touch ID. I find it annoying to log into it on my iPad and phone, so it’s doing its job. I think.
I’m trying not to freak out about logging into my bank site just now, only to be told that no accounts are available for management.
@PlacidPenguin I’m looking at BitWarden if LastPass doesn’t keep the ease of use. I also use Yubico keys. The problem with them is that you end up wanting to leave them plugged in if you’re using them all the time, like when you unlock your desktop. That means that if someone steals your laptop or desktop, they’re also getting your yubico key you left in the USB port. Which kind of defeats the purpose in the first place.
Lastpass at least has a 30-day authorization window so if your computer gets stolen, lastpass won’t autoload when your browser is launched after 30 days time out.
I made spare Yubicos with LastPass, one for each emergency thumb drive. They might have a good Black Friday sale this year if anyone is looking for a discount. They had an assortment pack (3/4/nano) last year that worked out to about $20 for each one, better than half price.
@mike808
I don’t think BitWarden supports nextCloud, so that would be a deal breaker for me.
(Oh, and I have a lifetime premium license for Enpass which I got a few years ago from a thing they were doing.)
@PlacidPenguin BitWarden supports you hosting your own cloud storage for syncing devices. Offline encrypted VeraCrypt drives are good enough for me. LastPass hosts their own for cloud syncing across multiple devices.
The magic words for me in any “secure” cloud storage is zero-knowledge. There’s and add-on for Box (Boxcryptor) and SpiderOak have it, but most cloud storage has keys managed by the provider, meaning you’re not in control of the encryption.
@Kidsandliz Password protect the spreadsheet and back it up on other devices and mail it to yourself so it’s saved there too. Yes, you do have to remember that password!
@callow it is backed up but not password protected. Thanks for that suggestion.
I had my identity stolen once.
Now there’s two of us without a life.
Kickstarter. Guess what I backed?
I once had somebody access my Amazon account, where they put in their own credit card information, and attempted to have an item sent to that address.
¯\_(ツ)_/¯
After I cancelled the order, I contacted Amazon, who locked me out of my account for a day, and when I was able to access it again, the Texas address and billing info were removed.
@PlacidPenguin I had that happen twice with Walmart. I got emailed about my order. Once to MI for $500 in gift cards and the other to FL for a bunch of kids clothes. I changed passwords several times.
I used a credit card to pay for freight charges on a hot rod engine. The item was shipped freight collect, so I gave the driver my credit card. That was about 10AM. At noon someone ordered 10 pizzas for delivery and used my card number to pay. Any guesses where the pizza was delivered? Yup, the Yellow Freight terminal.
Later that night the card number was used again to pay a Cox Cable bill.
I don’t even need to tell you who’s name was on the Cox account, right? This guy should reconsider his decision to build his criminal empire (10 pizzas at a time) and stick with driving.
CC company flagged my account and robocalled me to verify the transactions. Nope, I didn’t recognize them, so they immediately canceled the card and sent out a new one.
Before the card was even delivered there was activity on the account. I guess some Bulgarian hacker syndicate had figured out the CC company’s algorithm for creating account numbers and CVV numbers. So that card was canceled before I even received it. CC company had a bunch of identical fraudulent activity, so they implemented a new security scheme and changed up their algorithms. Took about 2 weeks for them to implement the changes, and once it was sorted they FedExed out a new card.
@ruouttaurmind
Hey, I want a turn to use your credit card.
@ruouttaurmind mmmm pizza
@ruouttaurmind
I had someone change the address on my Petco account to themselves. Unfortunately for them it was an expired credit card on there. Your dude and this one both have earned a dumbest criminal award.
Well and this asshat too - Someone else got their hands on my credit card number (how I don’t know) and then set up a fake account in my name on western union then tried to wire $800 to their real selves. They also paid their Verizon bill that way. Tried to buy some stuff at Lowes except Lowes won’t sell you stuff in the store if you don’t actually have the card. So the stupid shit was now on video camera.
Cops made no effort to find him despite having his name, address, phone number and video of him. I found him though. In jail in the neighboring county for doing the same thing. Then the cops said he is already in jail for doing this, why arrest him again? Umm because he is a repeat offender and he stole some of my stuff. Then the cop said, “Well if we do that our crime rate will go up and we don’t want that to happen do you?”. WTF?
Although that also explains why they refused to take reports when 7 of us had things stolen out of the driveway, out of open garages, out of the yard. Cops said it was our fault for not having the stuff locked up. I then asked him, “using that logic I can then go take whatever I want off of someone’s porch and its not a crime?”. He told me no that would be stealing. Go figure. And this is why the crime rate where I used to live was
allegedlyincredibly low. Got it. Although they did not figure out how to spin the murder that was 2 blocks from me into something not reportable.Thanks for this @lichme - have an unblame from me!
If you’d like to see some magic, the same guy who runs Have I Been Pwned, also has a site where you can safely check if the password you’re using has shown up in any breach or dump before (using md5, plain text, or sha1 for your password hashing is bad).
https://haveibeenpwned.com/Passwords
If you’re wondering how it could be safe, it uses a mathematical property called k-anonymity (the exact details in the blog linked below), so the receiver never knows exactly what you searched for, only a very general range is returned and then matched locally.
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity
I’ve used it over the years and my info has shown up a few times. Quite some time ago I switched to unique passwords for all my logins. Oddly enough, just a few weeks ago I got a notice my Kohl’s account was locked and to change my password. No sooner had I changed it, within 24 hours I got another notice. I’m guessing my login was floating around the dark web and others were trying it. After resetting it several times over a few days, no one has fucked with it lately. I know quite a bit about e-commerce and fraud as I helped set up the fraud detection at a very large company in the early 2000’s. At the time we were manually checking each and every order for suspicious activity. I can’t begin to tell you how many fraudulent orders for Timberlands come out of Detroit.
Once upon a time someone got my debit card info. Still unsure where they snaked that one from. Spent several thousands at Target, Home Depot, and Toys R US (RIP). It would’ve been easy to check the videos at all three and figure it out but the cops just don’t want to bother. Had to file a police report for the bank to refund my money. When I went to pick up the report, the clerk at the police station told me it was $19 for a copy. I shook my head and said I can’t believe I’m being robbed for a copy of the report about me being robbed. After agreeing it was absolutely ridiculous she looked around and quietly slid the report through the window and told me to go, quickly. I said thanks and scurried out the door.
A couple of weeks ago, I got an email with one of my passwords in the subject line. Email said they’d also turned on my webcam and would share embarrassing videos with all of my contacts unless I sent them $7K in Bitcoin. (Password was one I used multiple places for things like newsletters.)
@walarney
Well, I mean, you’re part of a mediocre forum. How embarrassing could those videos possibly be?
Also, what’s the deal with people using my email address to sign up for newsletters. I’ve unsubscribed from the East Carolina University alumni newsletter several times, but “Helen” keeps re-subscribing me. Lately, I’ve been getting a bunch of mail for “Matthew”. How did they randomly type my email address?