• WANTED: Happy members who like to discuss audio and other topics related to our interest. Desire to learn and share knowledge of science required. There are many reviews of audio hardware and expert members to help answer your questions. Click here to have your audio equipment measured for free!

Important: Another Wave of Account Hacks

amirm

Founder/Admin
Staff Member
CFO (Chief Fun Officer)
Joined
Feb 13, 2016
Messages
45,432
Likes
250,426
Location
Seattle Area
We have had about half a dozen accounts taken over and spams posted in the name of the member. It is not a breach of our system. Somehow these people are getting a hold of member credentials and logging in. We usually ban them and try to contact the member if the spammer has not changed the email address.

If you have not recently changed your password, it may be a good idea to do so.

You may also want to enable 2-factor authentication. Note that this expires every 30 days and you must use an app on your phone to get an authorization code to login. If it is too much hassle, you can enable it now and then later disable.
 
I had 2FA enabled until I realized it kicks you out every 30 days and you need to log-in again. Is there a way to make this feature optional? I'd be happy to keep 2FA on if the cookies didn't expire despite daily use.
 
I recently read somewhere that most user account hacks are caused by 3rd party Chrome Chat GPT addons/extensions that people install.
I thought it was malware which captures all keystrokes.
 
Hacks are less common than just plain bad passwords. I suggest using a password manager so you can have real passwords and different ones for each site.
I agree. And by "real password" I would mean long and random, which makes the password impossible to guess. The password manager (I use KeePass) means you can have a unique long random password for every account, i.e. no sharing. So that means if a password for one account somewhere gets stolen then it's useless anywhere else.
 
There are lots of ways it can happen, it's also common if you re-use passwords across sites
That's common. When you give a password to a web site, you don't know they store it. News stories used to be common that a big hack got dumped on the dark web with millions of usernames and passwords but I guess those new stories got boring so I don't see them any more but I doubt the hacks are less common. You minimize the damage if you use a unique long, random password for each service.

The other common one is using crappy, easy-to-guess passwords.

I think it's silly to try to fix either of these two common problems with two-factor auth. Fix your password hygiene and then add 2fa to the most critical sites.
 
I think recent info indicates that using 2FA reduces your chances of this happening by 99%. I think the real number from some investigations was 99.1%, but in any case, probably even more helpful than using good passwords. Not that one should use poor passwords. The other thing I noticed in reading these reports is having 14 characters or more was one big hurdle to make you a little safer. Not as good as truly random complex passwords, but a big help. I don't find 30 day renewals much of a hassle.

Even better would be passkeys. They are becoming more common, but not pervasive yet.
 
Hacks are less common than just plain bad passwords. I suggest using a password manager so you can have real passwords and different ones for each site.
Huge +1. If you aren't already using something like Keepass or Lastpass, start before someone comes along and cleans out your bank account and sends your naked pictures to all of your relatives.
 
Huge +1. If you aren't already using something like Keepass or Lastpass, start before someone comes along and cleans out your bank account and sends your naked pictures to all of your relatives.
I don't have any naked pictures. Maybe if I had some that is one way I would quickly get notified of a serious breach.
 
If you aren't already using something like Keepass or Lastpass,
The difference between these two is important. With KeePass you keep your encrypted password database yourself. With Lastpass and any other cloud-based service like that you give your passwords to the cloud service for them to keep in their database, so you rely on the service provider to implement all their software and networking and management 100% perfectly. Such services are high-value targets so we can assume they are being attacked all the time. One mistake on their part... And Lastpass, just for example, has made several high-profile mistakes.

With KeePass and similar the database is distributed: it doesn't contain everyone's passwords -- only yours. But there are downsides 1) you need to carefully back up your password database, and 2) you need to synchronize it across the devices you use. Some people use Dropbox for sync. I use something called Resilio Sync.

EDIT to add: when using a cloud password manager you really still need to backup your password database. When internet businesses fold, they often do so without notice. So you should be ready for that.
 
The difference between these two is important. With KeePass you keep your encrypted password database yourself. With Lastpass and any other cloud-based service like that you give your passwords to the cloud service for them to keep in their database, so you rely on the service provider to implement all their software and networking and management 100% perfectly. Such services are high-value targets so we can assume they are being attacked all the time. One mistake on their part... And Lastpass, just for example, has made several high-profile mistakes.

With KeePass and similar the database is distributed: it doesn't contain everyone's passwords -- only yours. But there are downsides 1) you need to carefully back up your password database, and 2) you need to synchronize it across the devices you use. Some people use Dropbox for sync. I use something called Resilio Sync.

EDIT to add: when using a cloud password manager you really still need to backup your password database. When internet businesses fold, they often do so without notice. So you should be ready for that.
With cloud based systems (at least with the one I use) they only store an encrypted copy of the password file. This only gets decrypted locally on my machine.

So while all the network security is important, it is less so if the encryption is sufficiently secure.

Convenience is always less secure, but it is more secure than the shortcuts we might take if things are less convenient.
 
Like others mentioned, using a password manager is a good practice. You don’t even need to buy one if you don’t want to. Chrome, Safari or Edge will ask you when creating an account to generate a strong password for you, and then will save it for you in their respective built in password manager. There is no need to know your password. Just let the browser do that work for you.

With this, should the website have poor practices and stores your password unencrypted, and it gets compromised, it’s a unique password, and only one account is compromised, better than many websites if you happen to be reusing passwords.
 
Still in control of my account for now. I wonder what the motivation is to attack ASR?

Edit: Ok maybe they arent attacking ASR specifically and are just posting generic spam. I havent seen any of these posts myself.
 
I’ve always let Apple password generator/password manager deal with my password,…..”fumble….fumble…stretch……touch wood”……I’ve never had any issues and it alerts me if any websites have leaked information
 
Last edited:
Back
Top Bottom