This week we had 3 breached accounts where it appears a low grade Russian hacker operating out of Moldova came and posted some forum spam. For many sites, this is routine, not worth mentioning, and not something they want to talk about anyway. In our case, I think it's an opportunity for some discussion.
The breached accounts were shut down and we investigated further. Upon review, we discovered 7 more breached accounts, for a total of 10 this week (all same hacker).
And it turns out that 4 of the 10 accounts were also breached last August by a different Russian (possibly out of St. Petersburg), leading us to find 14 accounts breached then (including the 4 breached both times). So we shut down a total of 20 accounts this week.
In each of these cases, and for reasons I'll not expand upon, the hackers don't appear to be particularly sophisticated, and it was easy to track them. They also (frankly) don't seem to have caused too much trouble.
All breached accounts appeared primarily inactive, some with last activity quite a number of years ago.
About 1/3 of login attempts by these 2 hackers resulted in a successful login, demonstrating that hackers weren't just trying random email/password sets from known breaches of other sites, but in fact were working from lists that included web site, email address or username, and password. These observations are consistent with some breached accounts by another Russian that caused drama about a year ago (drama because the timing was bad, offices were closed, and being conservative we over-reacted).
Lack of any brute force attack attempts leaves 2 likely possibilities: (a) general malware installed on users computers, or (b) breaches of password vault programs/sites. Both happen, but I'm getting more and more suspicious and concerned about the latter.
Password managers are hacked regularly - both on users computers and at vault HQs. LastPass for example seems to have only 2 quiet years since 2014, with publicly discussed security issues in 2014, 2015, 2016, 2017, 2019, 2020, and 2022 (leaving only 2018 and 2021 without news):
https://password-managers.bestreviews.net/faq/which-password-managers-have-been-hacked/
On the subject of LastPass, after their recent breach, they basically seems to have said "No worries, your stolen data is safe -- It's no big deal".
However, others have begged to differ and have evidence suggesting the situation at LastPass, in particular for a good chunk of users might be much more severe:
www.ghacks.net
I think their challenges are not unique. Password vaults are super-inviting targets to some of the world's most sophisticated hackers. And when they get their hands on data, it gets used. Stolen data loses value over time until it ends up all over the place. I'm guessing that's what happened this week -- old, then low value data was used by unsophisticated trolls.
Users
Make sure you computers are clean, and regularly scan with products like Malwarebytes (free version works great and with on-demand scans doesn't slow down your computer). If you are using a password vault, update the password on the vault every once in a while. Use unique passwords on each site you visit. Etc. etc. You've heard it before...
Please have a phone number on file here if you can. More than have the breached accounts provided no trustworthy (non email address) way to reach the member... In the past, for breached accounts, a decent % of the time the users email account access has been breached too, and a decent % it hasn't. So without a phone number on file, I'm simply shutting down accounts. We don't have time to try and figure out if a user is the original real user or not though. It's much easier to tell people to just sign up on a new account (which is what usually happens if one hasn't been ultra active on this site).
Thanks to several users for using the report post feature on the hacker's spam posts. That allowed moderators to quickly deal with these posts and ban the accounts. Which let to further research and the discovery of the other 17 accounts that had been breached over the last 6 months.
For this site
About 2 months ago we began restricting logins by anyone that hadn't logged in for a period of more than 3 years. If you are inactive longer than that, you need to verify your email address on file again even if you know your email and password. That move took literally tens of thousands of accounts offline. We will further reduce the inactivity timeout window in the coming months, but we need to take some other steps first for reasons I won't get into now. [Side Note: At least 3 of the 10 accounts breached this week likely wouldn't have been susceptible to breach except that they had already been breached last year. As such, they weren't 'inactive' at time of the attempts this week.]
Whenever anyone signs up new, or changes their password, we force them to use a username password combination not in a database of 12 billion (yup, billion, not million) breached accounts: https://haveibeenpwned.com/ We will continue to take steps to make it more and more encouraged to not use dangerous passwords here.
We are experimenting with 2FA (2 Factor Authentication) systems like Google Authenticator and cel phone SMS.
We continue to work towards building systems to make it easier to detect at more and more suspicious activity, and to make account recovery for users easier when an account is breached.
[Now all this deals with hackers. Scammers are a whole different problem. I have some ideas there too to help discourage (but likely never eliminate) scammers, but it's a more challenging and longer term problem, and the topic for a different thread on a different day.]
UPDATE: If the subject of account breaches interests you, see last year's announcement about same:
The breached accounts were shut down and we investigated further. Upon review, we discovered 7 more breached accounts, for a total of 10 this week (all same hacker).
And it turns out that 4 of the 10 accounts were also breached last August by a different Russian (possibly out of St. Petersburg), leading us to find 14 accounts breached then (including the 4 breached both times). So we shut down a total of 20 accounts this week.
In each of these cases, and for reasons I'll not expand upon, the hackers don't appear to be particularly sophisticated, and it was easy to track them. They also (frankly) don't seem to have caused too much trouble.
All breached accounts appeared primarily inactive, some with last activity quite a number of years ago.
About 1/3 of login attempts by these 2 hackers resulted in a successful login, demonstrating that hackers weren't just trying random email/password sets from known breaches of other sites, but in fact were working from lists that included web site, email address or username, and password. These observations are consistent with some breached accounts by another Russian that caused drama about a year ago (drama because the timing was bad, offices were closed, and being conservative we over-reacted).
Lack of any brute force attack attempts leaves 2 likely possibilities: (a) general malware installed on users computers, or (b) breaches of password vault programs/sites. Both happen, but I'm getting more and more suspicious and concerned about the latter.
Password managers are hacked regularly - both on users computers and at vault HQs. LastPass for example seems to have only 2 quiet years since 2014, with publicly discussed security issues in 2014, 2015, 2016, 2017, 2019, 2020, and 2022 (leaving only 2018 and 2021 without news):
https://password-managers.bestreviews.net/faq/which-password-managers-have-been-hacked/
On the subject of LastPass, after their recent breach, they basically seems to have said "No worries, your stolen data is safe -- It's no big deal".
However, others have begged to differ and have evidence suggesting the situation at LastPass, in particular for a good chunk of users might be much more severe:
Security experts blast LastPass for misleading users about stolen password vaults - gHacks Tech News
Security experts have criticized LastPass for its disastrous way of handling the recent security breach, and for misleading users about their data.
www.ghacks.net
I think their challenges are not unique. Password vaults are super-inviting targets to some of the world's most sophisticated hackers. And when they get their hands on data, it gets used. Stolen data loses value over time until it ends up all over the place. I'm guessing that's what happened this week -- old, then low value data was used by unsophisticated trolls.
Users
Make sure you computers are clean, and regularly scan with products like Malwarebytes (free version works great and with on-demand scans doesn't slow down your computer). If you are using a password vault, update the password on the vault every once in a while. Use unique passwords on each site you visit. Etc. etc. You've heard it before...
Please have a phone number on file here if you can. More than have the breached accounts provided no trustworthy (non email address) way to reach the member... In the past, for breached accounts, a decent % of the time the users email account access has been breached too, and a decent % it hasn't. So without a phone number on file, I'm simply shutting down accounts. We don't have time to try and figure out if a user is the original real user or not though. It's much easier to tell people to just sign up on a new account (which is what usually happens if one hasn't been ultra active on this site).
Thanks to several users for using the report post feature on the hacker's spam posts. That allowed moderators to quickly deal with these posts and ban the accounts. Which let to further research and the discovery of the other 17 accounts that had been breached over the last 6 months.
For this site
About 2 months ago we began restricting logins by anyone that hadn't logged in for a period of more than 3 years. If you are inactive longer than that, you need to verify your email address on file again even if you know your email and password. That move took literally tens of thousands of accounts offline. We will further reduce the inactivity timeout window in the coming months, but we need to take some other steps first for reasons I won't get into now. [Side Note: At least 3 of the 10 accounts breached this week likely wouldn't have been susceptible to breach except that they had already been breached last year. As such, they weren't 'inactive' at time of the attempts this week.]
Whenever anyone signs up new, or changes their password, we force them to use a username password combination not in a database of 12 billion (yup, billion, not million) breached accounts: https://haveibeenpwned.com/ We will continue to take steps to make it more and more encouraged to not use dangerous passwords here.
We are experimenting with 2FA (2 Factor Authentication) systems like Google Authenticator and cel phone SMS.
We continue to work towards building systems to make it easier to detect at more and more suspicious activity, and to make account recovery for users easier when an account is breached.
[Now all this deals with hackers. Scammers are a whole different problem. I have some ideas there too to help discourage (but likely never eliminate) scammers, but it's a more challenging and longer term problem, and the topic for a different thread on a different day.]
UPDATE: If the subject of account breaches interests you, see last year's announcement about same:
Account Breaches & Re-Using Passwords
Account Breaches & Re-Using Passwords There are ongoing issues with account breaches across the Internet tied in most cases to reused and/or simplistic passwords. I wanted to share a little more about our experiences with them, including what we all can do to help avoid them. Summary (for...
forums.arcade-museum.com
Last edited by a moderator:
