Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[zirk]

For info I have 2 entries on there, mainly from harvested details from a couple of websites that should have done better to protect themselves.  Follow the basics above and you'll be fine 

Incidentally - I figure it's likely only you who'll be interested in this A colleague of mine has the source files from the recent leak (the ~711m records) and has cracked 100% of the hashed passwords contained therein..

..it took 32 NVidia GeForce 1080TIs under 12hrs to do.

I don't know if I'm more impressed that he found the source files, or that he has 32 (expensive!) graphics cards to dedicate to hash cracking..

A friend of mine is the IT Manager of a Private High School or what ever their called these days, anyway come Summer Holidays plus the other breaks, He has a large Network of Computers (and as you say Graphic Card Power) at he's disposal. 

[aaronjb]

Kevin -  He has a six month old kid so I am assuming it was "Must escape from baby" time in his household

Actually I was off on my statistics - it took six hours, 32x 1080TIs and another ~50 other, smaller GPUs..

Under "Breaches you were pwned in"  it says "Online Spambot"

I can't see how a spam bot would have got the password though - I don't follow email links unless I absolutely trust them, and even then, I go to the homepage of the site by typing it in on the address bar.

Allen, then further down the page you should see:

Onliner Spambot (spam list): In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information. In total, there were 711 million unique email addresses, many of which were also accompanied by corresponding passwords. A full write-up on what data was found is in the blog post titled Inside the Massive 711 Million Record Onliner Spambot Dump.

Compromised data: Email addresses, Passwords

A spam Bot didn't get your password, a spam bot was using your password (potentially).  This would be the breach I just noted as needing only 6 hours for a single individual to crack the password hashes - organised criminals would have even more power at their disposal.

Basically .. change your password(s). Everywhere, because Troy (who runs HIBP) isn't going to tell you which password has been compromised. Theoretically I could find out via Justin (the aforementioned individual with time on his hands) but I can't really pimp him out as a service

FWIW, he worked out that ~95% of his Facebook friends all have their details (including password, including mine!) in that dump, so you're not alone.

[Gaffers]

I would hazard caution against using online password managers, they are often targeted for obvious reasons and they are not infallible.  Only use offline ones that you can control access to (and by that I do not mean an excel spreadsheet, just look at Sont Pictures to figure out why that is a very bad idea)

I have recently got a Mooltipass to play with and I am quite impressed.  The wife is terrible at remembering the passwords for her important, yet frequently used, accounts and so needs this device.  I have trouble remembering all the various passwords for the Raspberry Pi devices I run so rather than using the same for them all or writing them down I have a separate card for me which I use for that.  It can also be used for a digital will in the event of death or incapacitation so that NoK can access the important stuff.

[Allenm]

Kevin -  He has a six month old kid so I am assuming it was "Must escape from baby" time in his household

Actually I was off on my statistics - it took six hours, 32x 1080TIs and another ~50 other, smaller GPUs..

Under "Breaches you were pwned in"  it says "Online Spambot"

I can't see how a spam bot would have got the password though - I don't follow email links unless I absolutely trust them, and even then, I go to the homepage of the site by typing it in on the address bar.

Allen, then further down the page you should see:

Onliner Spambot (spam list): In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information. In total, there were 711 million unique email addresses, many of which were also accompanied by corresponding passwords. A full write-up on what data was found is in the blog post titled Inside the Massive 711 Million Record Onliner Spambot Dump.

Compromised data: Email addresses, Passwords

A spam Bot didn't get your password, a spam bot was using your password (potentially).  This would be the breach I just noted as needing only 6 hours for a single individual to crack the password hashes - organised criminals would have even more power at their disposal.

Basically .. change your password(s). Everywhere, because Troy (who runs HIBP) isn't going to tell you which password has been compromised. Theoretically I could find out via Justin (the aforementioned individual with time on his hands) but I can't really pimp him out as a service

FWIW, he worked out that ~95% of his Facebook friends all have their details (including password, including mine!) in that dump, so you're not alone.

Thanks Aaron, I will have to change all my passwords then!  what a ball ache. I don't use the same password across multiple sites, so have shit loads as a result.

[Doctor Gollum]

LinkedIn seems to be the source. I no longer have a LinkedIn account, haven't done for a while now, should I worry, or is it the current email address etc that has been exposed

[biggriffin]

Kevin -  He has a six month old kid so I am assuming it was "Must escape from baby" time in his household

Actually I was off on my statistics - it took six hours, 32x 1080TIs and another ~50 other, smaller GPUs..

Under "Breaches you were pwned in"  it says "Online Spambot"

I can't see how a spam bot would have got the password though - I don't follow email links unless I absolutely trust them, and even then, I go to the homepage of the site by typing it in on the address bar.

Allen, then further down the page you should see:

Onliner Spambot (spam list): In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information. In total, there were 711 million unique email addresses, many of which were also accompanied by corresponding passwords. A full write-up on what data was found is in the blog post titled Inside the Massive 711 Million Record Onliner Spambot Dump.

Compromised data: Email addresses, Passwords

       

.

The above statement is what I got on one email address, could it be linked to one company the above statement  (virgin).

[frostbite]

I have 2 but I have never been on those sites
Last fm and River city spam list

both of which had issues back in  2012 according to the checker

[omega2018]

its easy to have just one basic password but never use the same password for every site. then for every site you will know each individual password but only have to remember one password.   just needs a bit of thinking about

similar method with pin numbers, you can write a different number (which isn't the pin) on all your cards, then by adding the number you do remember (and isn't written down) to each, you generate the pin unique to that card.

[aaronjb]

I'm just going to leave this here:



(Trouble is, most sites restrict the number of characters you can enter..)

[Gaffers]

ahem...dictionary attacks....ahem...

[aaronjb]

ahem...dictionary attacks....ahem...

Still made much more complex by passphrases rather than passwords.

What are the odds of a dictionary having "myauntoncedyedherhairpink" in it?

[Gaffers]

Depending on the phrase the entropy for a passphrase can be very weak  and reduce it even further by adding a bit of Natual Language Programming in order to workout possible word combinations like you describe.  You may have to have quite a long phrase in order to achieve the same entropy for a good complex 20 character password remembering that some websites restrict the size of a password to 20 chars or less due to the constraints on their hashing and salting algorithms.  This is where password managers come in and as long as they are offline and you keep a backup they tick nearly every single box.  They arent perfect but then nothing is, in this world it is all about making it hard to hack/break in/defraud you rather than your neighbour.

[STEMO]

I would imagine the thing you would like to protect more than anything else would be your banking. I use the iOS apps rather than websites and, I think, they're pretty secure.

[Gaffers]

Depends on the App as some are built well whereas others are absolute dog toffee.  Plus sometimes the teams they hire to pentest the app are not very good but as long as they get their tick in the box to say it has passed testing.....

[tigers_gonads]

Checked mine, all okay 

As for passwords, all based on the same thing BUT slightly different 
House Wi-Fi one is 34 characters long and uses more then just numbers and letters