if I enter my gmail, does that mean my google account was affected or any accounts tied to my gmail can be affected?
How does this sort of thing work if you use another account to log in to one of these services?
For example, I'm pretty sure I used my Google or Facebook account rather than creating a new account when I tried out Coffee Meets Bagel. Am I safe, or does a breach like this mean my Google or Facebook data is compromised?
No password is uncrackable but dictionary attacks are a hell of a lot less common than brute force attacks. A longer password like this is more secure than the shorter gobbledygook that most people use for the vast majority of the hack attempts we see done online.That's not more secure, I can easily crack that with a dictionary attack. Please stop posting false information.
The point of those passwords is to limit what a brute force attack can do as they check for every combination. Against a rainbow table any password is fucked. Against a dictionary attack, any words in their dictionaries, combinations, letters replaced with numbers or symbols etc, are vulnerable.
The point is to make separate passwords for each site and accept that they'll likely be cracked eventually, and change it. You saying that password combination is the most secure is incredibly irresponsible and only adds to the danger of leaked information.
Phone based 2FA can be breached by cloning a number but it's a significant hurdle for most and thus serves as pretty decent protection for the vas t majority of folks.Wow, so how are they getting thru googles 2fa so easily? Are you using a smartphone confirmation?
How'd you decipher my new password so quicklyWelp, time to change the ol' password.
RIP Password1.
Hello, Passw0rd2!
#securityconscious
#thezeromakesitsafe
Yea they can fake your up address to gain access to accounts online that use up address look up as verification of identity like for example some sites that auto log you in without need for a password. A combination of a cloned IP, device ID (sometimes) and perhaps also a standard cookie will get them access.It says the MyFitnessPal breach also contains IP addresses — can they do anything with that info?
So... what should we do?Yea they can fake your up address to gain access to accounts online that use up address look up as verification of identity like for example some sites that auto log you in without need for a password. A combination of a cloned IP, device ID (sometimes) and perhaps also a standard cookie will get them access.
It would mean that there was a breach where a username associated with your gmail account was compromised. If you scroll down it gives more information about each of the breaches your gmail address was found in so you can see where they originated fromif I enter my gmail, does that mean my google account was affected or any accounts tied to my gmail can be affected?
Don't use "remember me" functions on websites. Even on your own devices. That protects you from such exploits as they use that functionality to gain access with the IP address
It depends on the way the site validates you. Most use encryption (tokens) that protects you but occasionally you'll see some that just store the password and perhaps encrypt it on their website. The only way to really be sure is to search for your password in the breaches.How does this sort of thing work if you use another account to log in to one of these services?
For example, I'm pretty sure I used my Google or Facebook account rather than creating a new account when I tried out Coffee Meets Bagel. Am I safe, or does a breach like this mean my Google or Facebook data is compromised?
Like I say above it depends on the site and their implementation. Not all of them use the Facebook or google with tokens. Most of the ones that don't tend to be a bit slapdash or older but they do exist.After reading up on it, the login is happening on facebook or google, which then uses an auth token to log you in to the third party , your password is not going to the third party app/site.
I never use "remember me" on websites, but does the same apply to apps on your phone? Having to sign in to Gmail every time seems like a nightmare. And does 2FA stop this at all?Don't use "remember me" functions on websites. Even on your own devices. That protects you from such exploits as they use that functionality to gain access with the IP address
Two of my Gmail accounts were compromised recently, and they both had unique passwords/2FA. I wonder if more reports will come out. I had to change my 500px password back in November because of a breach.
I thought the same when it happened. I haven't logged into those accounts outside of iOS in months so I am not sure how I could have been hit with a keylogger. FWIW, both emails were part of the Collection#1 breach.How did this happen, though? Keylogging? If they were unique and only for gmail, unless google was breached I don't see how these ended up compromised.
I thought the same when it happened. I haven't logged into those accounts outside of iOS in months so I am not sure how I could have been hit with a keylogger. FWIW, both emails were part of the Collection#1 breach.
2FA authentication adds an extra layer of security that folks would need to bypass. It's never a bad idea. But yea depending on the implementation of specific apps it could be tricked into providing access to folks but that's where the device ID becomes more important and those are a fair bit trickier to fake.l than a standard IP address. Phones especially have a lot of time and effort into securing device IDs. Nothing is uncrackable thoughI never use "remember me" on websites, but does the same apply to apps on your phone? Having to sign in to Gmail every time seems like a nightmare. And does 2FA stop this at all?
What sort of 2FA do you set up? Is it phone based where they send you a text? If so then the two most likely causes are that someone is cloning your phone or they are convincing folks to disable your 2FA via social engineering to gain access to your accounts. Cloning phones would likely be someone you know or someone who knows of you as you'd have to be a specific target for them and they'd need personal information to do it.Two of my Gmail accounts were compromised recently, and they both had unique passwords/2FA. I wonder if more reports will come out. I had to change my 500px password back in November because of a breach.
What sort of 2FA do you set up? Is it phone based where they send you a text? If so then the two most likely causes are that someone is cloning your phone or they are convincing folks to disable your 2FA via social engineering to gain access to your accounts. Cloning phones would likely be someone you know or someone who knows of you as you'd have to be a specific target for them and they'd need personal information to do it.
One of the accounts uses a text code, the other uses authentication through the google mobile app.What sort of 2FA do you set up? Is it phone based where they send you a text? If so then the two most likely causes are that someone is cloning your phone or they are convincing folks to disable your 2FA via social engineering to gain access to your accounts. Cloning phones would likely be someone you know or someone who knows of you as you'd have to be a specific target for them and they'd need personal information to do it.
No offense to you but I'm not putting my passwords in to some random website.
Ah ok. Did you check the specific passwords in the password search? It's possible they only got other identifying information (up address, device ids) and not your password. All of these breaches aren't just about passwords there's other info folks get access to that isn't quite as well protectedI thought the same when it happened. I haven't logged into those accounts outside of iOS in months so I am not sure how I could have been hit with a keylogger. FWIW, both emails were part of the Collection#1 breach.
yea it would allow them access to his account which I thought is what he meant when he said his account was compromised. It appears I might have misunderstood though. Them being part of one of these breaches wouldn't necessarily mean his email password was breached. Its most likely another website for which he used his email address as his login with them then gaining access to the passwords and personally identifying information on that specific website.How would that allow them to get his password, though? I thought the most they would be able to do is change his password.
So these lists don't becessarily mean your email password is public it could be other identifying information attached to your account/email. With 2FA enabled it's far far more likely that it wasn't your email password that folks got access to but an account with another website where you used your email address as a login ID.One of the accounts uses a text code, the other uses authentication through the google mobile app.
Damn, pretty scary. I guess I'll just have to hope the device ID is too hard to fake. Thanks for the help.2FA authentication adds an extra layer of security that folks would need to bypass. It's never a bad idea. But yea depending on the implementation of specific apps it could be tricked into providing access to folks but that's where the device ID becomes more important and those are a fair bit trickier to fake.l than a standard IP address. Phones especially have a lot of time and effort into securing device IDs. Nothing is uncrackable though
Both passwords were listed. I don't have any evidence someone else used either one of the emails, but the credentials were out there.yea it would allow them access to his account which I thought is what he meant when he said his account was compromised. It appears I might have misunderstood though. Them being part of one of these breaches wouldn't necessarily mean his email password was breached. Its most likely another website for which he used his email address as his login with them then gaining access to the passwords and personally identifying information on that specific website.
So these lists don't becessarily mean your email password is public it could be other identifying information attached to your account/email. With 2FA enabled it's far far more likely that it wasn't your email password that folks got access to but an account with another website where you used your email address as a login ID.
You can actually scroll down from the email search and see what breaches you fell under and those will tell you what sites your email address would've been attached to. It's the passwords for those sites specifically not your email password that would've been compromised.
Or am I misunderstanding you and you actually had your email accounts specifically breached?
Did you use them anywhere else besides with those email accounts? Or were they unique to the email logins? If you used the same password in combination with your email address to set up an account on a separate site they could've gained the password info from the other site.
Both passwords were unique to each email and I had never used them elsewhere.Did you use them anywhere else besides with those email accounts? Or were they unique to the email logins? If you used the same password in combination with your email address to set up an account on a separate site they could've gained the password info from the other site.
If they had access to your email password from elsewhere along with a bit of other personal information they could social engineer themselves into disabling two factor on your email
After reading up on it, the login is happening on facebook or google, which then uses an auth token to log you in to the third party , your password is not going to the third party app/site.
It depends on the way the site validates you. Most use encryption (tokens) that protects you but occasionally you'll see some that just store the password and perhaps encrypt it on their website. The only way to really be sure is to search for your password in the breaches.
Like I say above it depends on the site and their implementation. Not all of them use the Facebook or google with tokens. Most of the ones that don't tend to be a bit slapdash or older but they do exist.
How long did you use these passwords for before they were compromised? The only thing I can really think of to explain this would be if you have a keylogger or other datamining tool on your computer. A keylogger could record you entering the actual password where a datamining tool could send cookies, ip and other identifiers someone might need to spoof an automated login attempt.Both passwords were unique to each email and I had never used them elsewhere.
Yeah, and if you already have keyloggers and other pieces of malware on your system, which is what this "backdoor" requires, you are already beyond fucked anyways.Those advocating password managers please note they are insecure:
https://bit-tech.net/news/tech/software/researchers-warn-of-serious-password-manager-flaws/1/
nobody with a lick of sense is trying to crack passwords using a pure brute force method.No password is uncrackable but dictionary attacks are a hell of a lot less common than brute force attacks. A longer password like this is more secure than the shorter gobbledygook that most people use for the vast majority of the hack attempts we see done online.
Well yea but if the passwords were truly unique I don't see how they could use predictive algorithms. Better still the lockout protocols for gmail should protect it from such an attack too. I honestly don't know how it could've been breached. I'm stumped.nobody with a lick of sense is trying to crack passwords using a pure brute force method.