EmailDiscussions.com  

Go Back   EmailDiscussions.com > Discussions about Email Services > Email Comments, Questions and Miscellaneous
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

Email Comments, Questions and Miscellaneous Share your opinion of the email service you're using. Post general email questions and discussions that don't fit elsewhere.

Reply
 
Thread Tools
Old 18 May 2017, 03:46 AM   #1
mister
Essential Contributor
 
Join Date: Jun 2002
Posts: 386
Has your email been hacked?

https://haveibeenpwned.com/
mister is offline   Reply With Quote

Old 18 May 2017, 04:37 AM   #2
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,933
Collector of email addresses??
janusz is offline   Reply With Quote
Old 18 May 2017, 06:44 AM   #3
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,683
Quote:
Collector of email addresses??
I would be suspicious. If you have any worries whatsoever just change the password, assuming you can still access the account. If you can't update the password then I might start worrying.
TenFour is offline   Reply With Quote
Old 18 May 2017, 02:12 PM   #4
pjwalsh
Essential Contributor
 
Join Date: Dec 2008
Location: Canada
Posts: 312
Bell breach may have exposed over 1 million new email addresses to phishing and spam
CBC, May 17

...And if you haven't already, check out Have I been pwned? for yourself. It's operated by computer security expert Troy Hunt — in other words, it's not some fly-by-night operation — and lets you see how many times your personal information has been leaked in previous data breaches affecting sites such as MySpace and LinkedIn.
pjwalsh is offline   Reply With Quote
Old 18 May 2017, 10:04 PM   #5
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,933
Quote:
Originally Posted by TenFour View Post
If you have any worries whatsoever just change the password.
Won't do any good against spamming and phishing.
janusz is offline   Reply With Quote
Old 19 May 2017, 03:38 AM   #6
mister
Essential Contributor
 
Join Date: Jun 2002
Posts: 386
Quote:
Originally Posted by janusz View Post
Collector of email addresses??
I have a Yahoo account which I know has been compromised and this gives it an OK, I'm not too sure how useful this is.
mister is offline   Reply With Quote
Old 19 May 2017, 04:53 AM   #7
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,933
Quote:
Originally Posted by mister View Post
I have a Yahoo account which I know has been compromised and this gives it an OK.
it depends HOW it was compromised, e.g. I don't expect stealing the password is detectable by a 3rd party.
janusz is offline   Reply With Quote
Old 19 May 2017, 08:08 PM   #8
Dutchie007
Essential Contributor
 
Join Date: Jun 2010
Location: The Netherlands
Posts: 388
Quote:
Originally Posted by mister View Post
I have a Yahoo account which I know has been compromised and this gives it an OK, I'm not too sure how useful this is.
It also depends WHEN you checked?? before or after the breech?,-)

If you change your Password,set 2 step validation and even make a new security question you should be OK.

D
Dutchie007 is offline   Reply With Quote
Old 20 May 2017, 10:38 AM   #9
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,917
Unfortunately, most websites and services don't support two-factor authentication. The problems with the current poor security policies of many services and the way that users set up their security include:
  • The most important accounts you have are the ones used for resetting account passwords and for two-factor authentication. So your text messaging account and/or email account used for resets and authentication need to be the most secure accounts you set up. You can lose control of all of your other accounts if someone gets control of your reset email account and then proceeds to reset the passwords on all of your services!
  • The passwords used for each of your accounts need to be unrelated to your other passwords. This is impossible to do if you try to remember long passwords, so it's by far safest if you use password safe software and then make the software for the password safe the only complex password you need to remember.
  • Because of social media and the personal questions asked by most sites when you set up your account, it's not that hard for a thief to discover the city you were born in, your grandparent's middle names, your first dog and car, etc. If you answer those questions for an account which is then hacked and these answers are revealed, then another site which happens to ask some of the same questions will be much easier to crack. Two-factor authentication doesn't help if the attacker gets control of your reset email account and can guess security questions and the service allows that method of resetting your account.
  • Authentication phishing can also be a problem. Don't respond to unexpected two factor authentication text or email messages, since it's probably a hacker trying to get you to give them your credentials.
  • Another potential problem is domain name or DNS theft. If someone steals the domain or obtains control over the DNS records, they can send authentication and password reset messages which only they can read. They can then lock you out of your accounts.
So it's very important that you use different passwords for every service. If you re-use a password, anyone hacking the first account has a good chance of getting into the second account.

Bill
n5bb is offline   Reply With Quote
Old 20 May 2017, 06:21 PM   #10
evilquoll
Member
 
Join Date: May 2017
Location: Emergency temporary account of ROBERT.BAK
Posts: 36
Quote:
Originally Posted by n5bb View Post
(list converted to numbered for ease of quoting)
[...]
2)The passwords used for each of your accounts need to be unrelated to your other passwords. This is impossible to do if you try to remember long passwords, so it's by far safest if you use password safe software and then make the software for the password safe the only complex password you need to remember.
3)Because of social media and the personal questions asked by most sites when you set up your account, it's not that hard for a thief to discover the city you were born in, your grandparent's middle names, your first dog and car, etc. If you answer those questions for an account which is then hacked and these answers are revealed, then another site which happens to ask some of the same questions will be much easier to crack.
2): Although anyone who thinks about it knows that "nothing is impossible" is a contradiction in terms (and there are several cast-iron proven impossibilities, such as dividing an arbitrary angle into three equal parts using only straightedge and compasses), there is too much use of "impossible" to mean merely "very difficult". It's possible to create passwords of at least medium strength and still easily memorable by taking a phrase related to the account (the longer, the better) and using its initials (and sound->number or letter->number substitution) to form the password. For example, "all your base are belong to us" could be transformed into "Aybrb2u" (OK, a longer phrase would be preferable, but this is just illustrative). For my part, I store my passwords in an encrypted Word document (and use Kingsoft Office if I need to read it whilst out).
3) For this reason, back in the early 2000s security expert Tom Simondi recommended to always give fictional answers to password-reminder questions (he used an "internet mother's maiden name" which was quite different from his real mother's maiden name). (If you are on a service which insists on real answers to those questions, move to another sharpish — they're clueless, or planning to sell that information, or both.) Nowadays, I treat password reminders as passwords, and use the same kind of highly-random sequences for both (and note them in my password repository).
evilquoll is offline   Reply With Quote
Old 20 May 2017, 06:56 PM   #11
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,933
Quote:
Originally Posted by evilquoll View Post
If you are on a service which insists on real answers to those questions, move to another sharpish
Which services insist on real answers to questions like "your mother's maiden name" or "name of your first school"? Do you have to produce birth/school certificate to get your answer accepted?
janusz is offline   Reply With Quote
Old 21 May 2017, 02:05 AM   #12
jarland
Essential Contributor
 
Join Date: Apr 2014
Posts: 399

Representative of:
MXRoute.com
Yeah I'm in so many leaks it's insane. Search "jarland@mac.com" for the fun of it.

These days it's not even a question of whether you'll be compromised if you sign up for a lot of internet services. It's about damage control. Using 2FA everywhere you can, using passwords designed to take impossibly long to crack by reasonable means. Unique passwords everywhere, never the same one twice. Rotate anything of importance regularly. A solid and locally controlled password manager is also key to surviving in today's internet.

Now, I'll step down from the security pedestal that we nerds tend to get on for one thing. Your security should be relative to the value of the data behind it. Would I have an eye scanner on my shed where I keep only a broken down lawn mower? Of course not. If you honestly don't care who gets into it, and what's inside is of no consequence, don't perform security theater. You just do you at that point
jarland is offline   Reply With Quote
Old 21 May 2017, 04:20 AM   #13
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,933
Quote:
Originally Posted by jarland View Post
Your security should be relative to the value of the data behind it. Would I have an eye scanner on my shed where I keep only a broken down lawn mower? Of course not. If you honestly don't care who gets into it, and what's inside is of no consequence, don't perform security theater.
Hear hear.
Contributors to this forum please note.
janusz is offline   Reply With Quote
Old 23 May 2017, 07:34 AM   #14
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,683
The thing I find about password reset questions is that you do need them eventually, so fake answers are bound to lock you out too! I've just had to go through all sorts of hoops for an elderly relative that can't remember anything anymore, but thanks to their password questions being decipherable to me (with some research) I was able to break into their accounts and save them from huge medical bills, etc., by being able to pay overdue invoices. A few years ago I had to go through the Google reset process and was just barely able to do it, thanks to having answered questions with real answers. So, this cuts both ways to me: it indicates that it is fairly easy to break into an account once you know a lot about a person, but on the other hand if you make it too hard to get in you will be locked eventually too! The thing is that some questions are pretty common, but how would a hacker know which question is used with which account? In other words, the make and model of my first car could be used on several sites, but even I do not know on which ones it was asked. How could a hacker use that information if they somehow obtained it? I suppose they could if they were targeting me and I was a high-value target, but I strongly suspect I am not (no money) and most of us are not so the effort required would be much higher than the reward.
TenFour is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 08:12 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy