if I enter my gmail, does that mean my google account was affected or any accounts tied to my gmail can be affected?
-
Ever wanted an RSS feed of all your favorite gaming news sites? Go check out our new Gaming Headlines feed! Read more about it here.
-
We have made minor adjustments to how the search bar works on ResetEra. You can read about the changes here.
617 Million+ account details from data breaches posted for sale on dark web
- Thread starter Axe
- Start date
How does this sort of thing work if you use another account to log in to one of these services?
For example, I'm pretty sure I used my Google or Facebook account rather than creating a new account when I tried out Coffee Meets Bagel. Am I safe, or does a breach like this mean my Google or Facebook data is compromised?
For example, I'm pretty sure I used my Google or Facebook account rather than creating a new account when I tried out Coffee Meets Bagel. Am I safe, or does a breach like this mean my Google or Facebook data is compromised?
I get a new email from HIBP every month or two at this point. I have too many accounts.
Thankfully I have a really low rate of password reuse and am working on getting my LastPass audit score up to 100%
Thankfully I have a really low rate of password reuse and am working on getting my LastPass audit score up to 100%
After reading up on it, the login is happening on facebook or google, which then uses an auth token to log you in to the third party , your password is not going to the third party app/site.
No password is uncrackable but dictionary attacks are a hell of a lot less common than brute force attacks. A longer password like this is more secure than the shorter gobbledygook that most people use for the vast majority of the hack attempts we see done online.
Phone based 2FA can be breached by cloning a number but it's a significant hurdle for most and thus serves as pretty decent protection for the vas t majority of folks.
However, if someone is singled in on you and your accounts specifically (like for example you have a desireable username or you are a well known public figure of some sort) instead of being just a part of a mass password attack they absolutely can jump through the hoops necessary to clone your number via social engineering and with the help of your phone service provider.
Yea they can fake your up address to gain access to accounts online that use up address look up as verification of identity like for example some sites that auto log you in without need for a password. A combination of a cloned IP, device ID (sometimes) and perhaps also a standard cookie will get them access.
It would mean that there was a breach where a username associated with your gmail account was compromised. If you scroll down it gives more information about each of the breaches your gmail address was found in so you can see where they originated from
Don't use "remember me" functions on websites. Even on your own devices. That protects you from such exploits as they use that functionality to gain access with the IP address
It depends on the way the site validates you. Most use encryption (tokens) that protects you but occasionally you'll see some that just store the password and perhaps encrypt it on their website. The only way to really be sure is to search for your password in the breaches.
Like I say above it depends on the site and their implementation. Not all of them use the Facebook or google with tokens. Most of the ones that don't tend to be a bit slapdash or older but they do exist.
Best I can do is $30
(Seriously though this is awful. I can't believe how many breaches we have had in the last 2 years)
(Seriously though this is awful. I can't believe how many breaches we have had in the last 2 years)
Only one password of mine compromised. It was my most commonly used one back in the day, but I've since phased it out.
I'll bet there are still a bunch of websites I haven't been to in years that have an account using that password though.
Most of the stuff I really want to protect are now unique passwords and 2FA.
I'll bet there are still a bunch of websites I haven't been to in years that have an account using that password though.
Most of the stuff I really want to protect are now unique passwords and 2FA.
I never use "remember me" on websites, but does the same apply to apps on your phone? Having to sign in to Gmail every time seems like a nightmare. And does 2FA stop this at all?
How did this happen, though? Keylogging? If they were unique and only for gmail, unless google was breached I don't see how these ended up compromised.
I thought the same when it happened. I haven't logged into those accounts outside of iOS in months so I am not sure how I could have been hit with a keylogger. FWIW, both emails were part of the Collection#1 breach.
2FA authentication adds an extra layer of security that folks would need to bypass. It's never a bad idea. But yea depending on the implementation of specific apps it could be tricked into providing access to folks but that's where the device ID becomes more important and those are a fair bit trickier to fake.l than a standard IP address. Phones especially have a lot of time and effort into securing device IDs. Nothing is uncrackable though
What sort of 2FA do you set up? Is it phone based where they send you a text? If so then the two most likely causes are that someone is cloning your phone or they are convincing folks to disable your 2FA via social engineering to gain access to your accounts. Cloning phones would likely be someone you know or someone who knows of you as you'd have to be a specific target for them and they'd need personal information to do it.
How would that allow them to get his password, though? I thought the most they would be able to do is change his password.
One of the accounts uses a text code, the other uses authentication through the google mobile app.
It hashes the password client-side before it does the lookup.
Ah ok. Did you check the specific passwords in the password search? It's possible they only got other identifying information (up address, device ids) and not your password. All of these breaches aren't just about passwords there's other info folks get access to that isn't quite as well protected
iOS contains a native password manager as of recent years.
I don't know why everyone using an iPhone hasn't just jumped ship to that.
I don't know why everyone using an iPhone hasn't just jumped ship to that.
yea it would allow them access to his account which I thought is what he meant when he said his account was compromised. It appears I might have misunderstood though. Them being part of one of these breaches wouldn't necessarily mean his email password was breached. Its most likely another website for which he used his email address as his login with them then gaining access to the passwords and personally identifying information on that specific website.
So these lists don't becessarily mean your email password is public it could be other identifying information attached to your account/email. With 2FA enabled it's far far more likely that it wasn't your email password that folks got access to but an account with another website where you used your email address as a login ID.
You can actually scroll down from the email search and see what breaches you fell under and those will tell you what sites your email address would've been attached to. It's the passwords for those sites specifically not your email password that would've been compromised.
Or am I misunderstanding you and you actually had your email accounts specifically breached?
Last edited:
Damn, pretty scary. I guess I'll just have to hope the device ID is too hard to fake. Thanks for the help.
Both passwords were listed. I don't have any evidence someone else used either one of the emails, but the credentials were out there.
I've long since stopped caring about this shit. My email has 2FA, my iCloud/iTunes Store account has 2FA and I have identity theft alerts. I'm sure that someone would take the path of least resistance and go after folks without 2FA. My abject poverty and total social obscurity makes me a shit target, just some incidental data points in the same pile as the motherload that hackers hope for.
Did you use them anywhere else besides with those email accounts? Or were they unique to the email logins? If you used the same password in combination with your email address to set up an account on a separate site they could've gained the password info from the other site.
If they had access to your email password from elsewhere along with a bit of other personal information they could social engineer themselves into disabling two factor on your email
Both passwords were unique to each email and I had never used them elsewhere.
How long did you use these passwords for before they were compromised? The only thing I can really think of to explain this would be if you have a keylogger or other datamining tool on your computer. A keylogger could record you entering the actual password where a datamining tool could send cookies, ip and other identifiers someone might need to spoof an automated login attempt.
Cloning your phone for 2FA Access would not give them access to your prior passwords so that wouldn't explain it. So unless you used your computer to log into these accounts with these passwords at some point I've got no idea how those passwords were compromised.
I'll ask around and see if some other folks I know can think of any explanation that I'm not aware of.
EDIT: someone just reminded me that your passwords could have been compromised by a brute force attack since the attached wouldn't necessarily need access to your email account to confirm the correct password. You would onky receive a 2FA prompt once they Exeter the correct password. But I'm fairly certain gmail has account lockouts and notifications after a specific number of failed attempts which would make this sort of attack impossible without you knowing it was happening.
Last edited:
Thankfully, I'm safe. And thankfully, last month I went through the painstaking boring and time consuming task of finally going through every password in my password manager and making them all unique. So I'm good going forward
Yeah, and if you already have keyloggers and other pieces of malware on your system, which is what this "backdoor" requires, you are already beyond fucked anyways.
I just deleted my MyFitnessPal account.
I really should get into the habit of deleting more old unused accounts...
I really should get into the habit of deleting more old unused accounts...
nobody with a lick of sense is trying to crack passwords using a pure brute force method.
Well yea but if the passwords were truly unique I don't see how they could use predictive algorithms. Better still the lockout protocols for gmail should protect it from such an attack too. I honestly don't know how it could've been breached. I'm stumped.
What about you? any idea how his unique 2FA gmail passwords were compromised?