We continue to enhance security on this site. And a bunch of people are likely about to get locked out...
Over the past month, at least nearly a dozen and likely more accounts on this site have been breached by hackers using credentials stolen from other sties. At least one of these accounts was used to try and con money out of people. No matter how many warnings we give people about not using the same credentials on different sites, it seems at least 20% of our users are inclined to. We spent hours yesterday trying to figure out if certain suspect accounts were breached or not.
Previously we checked passwords against a breached database when someone signed up, changed their password, or used the lost password/password reset feature. If the password was selected was previously used in a known breach, we disallowed it.
We are also going to force re-verifications if you haven't logged in for a while, or if you haven't verified your email address in a while. We will be adding support for verification by SMS in addition to email also (though that won't eliminate the requirement to keep a current email address).
Effective today if a simply logs in with a breached password, we will force them to re-verify their account by an email sent to them. Now a number of users here aren't good about keeping their email address up to date on the system. If this is you, then you will be locked out. And if you didn't have a secondary email address or SMS verified phone number on file, we probably won't have time to help you any time soon. And if we find the time, how would we even verify you? We regularly get someone who begs to be let back into their account and we can't help -- no secondary email, no phone number, often not even a name and address to go by.
We are also implementing other notice and security features, but we'll decline to announce them here.
This is a growing problem across the internet. Just this week in the news we learned about the 'Mother of all Breaches (MOAB)'. In this single breach, 26 billion (yes billion not million) contacts and passwords were exposed:
Over the past month, at least nearly a dozen and likely more accounts on this site have been breached by hackers using credentials stolen from other sties. At least one of these accounts was used to try and con money out of people. No matter how many warnings we give people about not using the same credentials on different sites, it seems at least 20% of our users are inclined to. We spent hours yesterday trying to figure out if certain suspect accounts were breached or not.
Previously we checked passwords against a breached database when someone signed up, changed their password, or used the lost password/password reset feature. If the password was selected was previously used in a known breach, we disallowed it.
We are also going to force re-verifications if you haven't logged in for a while, or if you haven't verified your email address in a while. We will be adding support for verification by SMS in addition to email also (though that won't eliminate the requirement to keep a current email address).
Effective today if a simply logs in with a breached password, we will force them to re-verify their account by an email sent to them. Now a number of users here aren't good about keeping their email address up to date on the system. If this is you, then you will be locked out. And if you didn't have a secondary email address or SMS verified phone number on file, we probably won't have time to help you any time soon. And if we find the time, how would we even verify you? We regularly get someone who begs to be let back into their account and we can't help -- no secondary email, no phone number, often not even a name and address to go by.
We are also implementing other notice and security features, but we'll decline to announce them here.
This is a growing problem across the internet. Just this week in the news we learned about the 'Mother of all Breaches (MOAB)'. In this single breach, 26 billion (yes billion not million) contacts and passwords were exposed:
