Hopefully the damn thing is an hash steal, not a clear password steal.
May be a keylogger network thing, though.
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
Millions of Gmail Hotmail and Yahoo email account details stolen says security expert
- Thread starter xkramz
- Start date
- Status
Hopefully the damn thing is an hash steal, not a clear password steal.
May be a keylogger network thing, though.
Corronchilejano
Member
A few days ago someone broke into my Mojang and Netflix accounts. I was worried about the Netflix one since they don't really have anything other than the password to protect the account (not even email verification anymore) but they didn't change my email so it was all good. They couldn't get past the security questions on Mojang (I use pretty unknown information from myself I never reveal online).
Guess I'll finally have to start using a password manager.
Guess I'll finally have to start using a password manager.
entremet
Member
It is baffling.
We have threads like these every two months or so.
Learn 2 Internet, folks. If you hate password managers at least come up with a system
Relevant:
DiipuSurotu
Banned
Relevant:
Huh, is this true?
Battersea Power Station
Member
It was at the time. I'm not sure if cracking algorithms have made it easier to crack string-of-words passwords now. It's still safest to use a long, randomly generated string of characters, but obviously that's not realistic for most internet users.
Yeah. It was posted by lastpass on their own blog even.
The best method to make a secure master password for your password manager is Diceware, which basically spits out a random strings of words that are easy to remember though.
http://world.std.com/~reinhold/diceware.html
Change your way of thinking... Avoid password and change for Passphrase when creating a password. Example: MyCatNameIsFluffy247!HowCute! But each site NEED to have its own passphrase.
But the best approach still is use a password manager like lastpass + 2nd factor authentication (on my case I use Lastpass + Yubikey)
https://www.yubico.com/products/yubikey-hardware/
Unknown Soldier
Member
Google and Microsoft accounts (Gmail and Hotmail) both offer 2-factor authentication. You have no excuse if your accounts with those companies get hacked. Go activate it now if you haven't.
SenorArdilla
Member
Which is a shame when you encounter a site that limits the length of a password to 8 or less characters.
Krauser Kat
Member
i have a different password for every account but my gmail is crazy complicated 20+ characters its not used anywhere else.
Maximus P
Member
Just changed my password on Hotmail. Looking at recent activity can be scary.....
Security challenge Today United Kingdom
Successful sign-in Today United Kingdom
Successful sign-in Yesterday United Kingdom
Incorrect password entered China
Successful sign-in United Kingdom
Incorrect password entered China
Incorrect password entered China
Successful sign-in United Kingdom
Incorrect password entered China
Incorrect password entered Korea
Successful sign-in United Kingdom
Incorrect password entered Korea
Security challenge Today United Kingdom
Successful sign-in Today United Kingdom
Successful sign-in Yesterday United Kingdom
Incorrect password entered China
Successful sign-in United Kingdom
Incorrect password entered China
Incorrect password entered China
Successful sign-in United Kingdom
Incorrect password entered China
Incorrect password entered Korea
Successful sign-in United Kingdom
Incorrect password entered Korea
For all you getting on the password manager train, at least for LastPass, look into getting the paid version. This let's you use the full mobile version so you can still log into sites when on your phone. Otherwise you'll need a computer nearby to lookup your password (unless you somehow memorize all of them :O).
Where can you search this history?
edit: found it.
wtf Israel and Italy.
At least my password is strong style.
Forerunner
Member
That's interesting. In the past month I had two attempts from China and one from Indonesia.
That's a site I won't even register on. You can tell by that limitation that they don't give any shit about security.
Yeah. I never fucking check! Damn.
Like I said at least my password was strong and I had two step authentication, but that seemed mostly to work with Microsoft Account purchases. Now I have that APP on the phone that you click to approve sign ins, even on the Xbox.
Overall, have never noticed anything, except some funny junk mail here and there.
I also have two step on yahoo, gmail, facebook, twitter, and amazon.
DiipuSurotu
Banned
The worst is when you register on a website and then they send you a welcome e-mail that contains your username and your password in plain text (the one you've just typed). If they have it in plain text that means they don't even encrypt it in their database.
RoadHazard
Gold Member
Of course it is. That's why password managers exist. Or are you saying that people are too dumb to use one?
Google, Microsoft etc. haven't been hacked. It's just people using the same credentials elsewhere, key loggers etc. that leaves them and others wide open. All they can do is prompt you to set up two factor authentication and they do.
This just happened to me when I registered to an online store
Cause this story sounds like BS. I got to imagine millions of working email passwords are worth far more than some likes on Facebook. I'd say it's likely just some shit thrown together to try to make a few bucks off other scammers.
User 479360
Banned
EDIT: Nevermind.
I actually had quite a few successful logins from Germany on my Hotmail account. Looking at the history these go back for a while and they are all POP3. Me thinks this is my GMAIL pop setup accessing Hotmail.
I had set up the Microsoft App previously to identify any new PC that tries to log in. So I think I'm good.
Noticed the same thing, and I believe this to be the case.
Past 2 weeks, failed attempt from China and Ukraine.
Yeah, it's somewhere there, just looked at it.
Yeah, it's somewhere there, just looked at it.
DiipuSurotu
Banned
If your account has suspicious sign-in attempts -- or suspicious successful sign-ins -- then you get a notification e-mail on the address that you've set as your secondary e-mail address.
Also at the bottom right of the main inbox there's a link to show the IPs of all active or recent connections to your account.
PHOENIXZERO
Member
Yeah, never bothered looking at my Hotmail sign-in attempts but over the last couple weeks there's been a failed attempt through POP3 from China every three days starting on April 22nd. I should probably make my Hotmail password stronger than what it is. I've had this account (and it was my first) for almost 19 years.
Anyone remember a few years ago when there was some exploit of Yahoo Mail and some app? That was fun, can't remember if I got hit but I got a few e-mails to my Yahoo account from people I use to know with Yahoo accounts. I haven't really used Yahoo as a primary e-mail since my dumb ass hastily fell for a spoofed login page and lost my original account in 2004.
Anyone remember a few years ago when there was some exploit of Yahoo Mail and some app? That was fun, can't remember if I got hit but I got a few e-mails to my Yahoo account from people I use to know with Yahoo accounts. I haven't really used Yahoo as a primary e-mail since my dumb ass hastily fell for a spoofed login page and lost my original account in 2004.
Dr. Zoidberg
Member
Google does a similar thing so I guess it applies to Gmail as well. For example, the Vita doesn't support 2-Factor so you can generate an "App Password" that doesn't require 2-Factor so you can use it with the Vita. So if you've ever done that for an app or device that doesn't support 2-factor you need to be aware of that as well.
It's nothing to be concerned about unless they are getting in. People are always trying to hack my MS accounts, I get password reset emails every couple of weeks that I did not initiate. At first it was a little scary but basically this just means that your good password and 2-factor are doing their job and I just delete the emails. It's a good idea to check the activity regularly to make sure you can account for the successful logins, though some of these can be puzzling as well if they're not obviously you. If you're on mobile around here and log in, the location information reported by Verizon doesn't always make sense and can appear to come from strange places like Atlanta, which is a state away from here.
Not sure why exactly but we have more problems with user's personal Yahoo accounts getting hacked than any other service. Are they the most popular by a large margin? I just know we never get spammed by breached employee Hotmail, Gmail, or Outlook accounts but it seems to happen to some Yahoo mail user every month.
So, after I changed my password yesterday (which, as fortune would have it, is tied to my MS account), I almost locked myself out of my PC because I couldn't remember the replacement after a restart this morning. I was worried I might have to go use the university cluster to reset it again.
People always assume this kind of thing is malicious, but honestly I reckon it's usually a case of mistyped email address and they don't realised they used an incorrect number/letter until after a few attempts.
terrisus stays winning
Battersea Power Station
Member
Neither, I think. I meant that that's the current reality: very few people use long random character passwords and very few are likely to start.
It is baffling.
We have threads like these every two months or so.
Learn 2 Internet, folks. If you hate password managers at least come up with a system
Relevant:
Hasn't been relevant for a while, people go for dictionary based attacks these days.
FootballFan
Member
where did you hear it was bs?
Haven't they always? Back in the day when I used to be interested in....uh...more unsavory activities on the internet I always went for the dictionary attack first. And that was a good 20 years ago now.
Unknown Soldier
Member
The easiest way to make this go away is to create an alternate Hotmail address you will use as your primary logon, set it as primary, and disable logon on from your real Hotmail address which is now secondary. Emails will arrive in your Hotmail account just as they always have, since the primary and secondary accounts all share the same mailbox. From this point on, logon using your new primary email address which you don't give to anybody. It's nice that Microsoft Account lets you easily do this.
Coreda
Member
To everyone seeing unsuccessful login attempts from overseas, was the same password at any point shared by another site?
https://myaccount.google.com/security under 'Device activity & notifications'
From what I've read in recent years password guessing scripts have incorporated combinations of dictionary words based on the info gleaned from all these breaches and the patterns people use. So it's kind of like a hybrid of dictionary attacks, where not only past examples are checked verbatim but intelligent new combinations.
https://myaccount.google.com/security under 'Device activity & notifications'
From what I've read in recent years password guessing scripts have incorporated combinations of dictionary words based on the info gleaned from all these breaches and the patterns people use. So it's kind of like a hybrid of dictionary attacks, where not only past examples are checked verbatim but intelligent new combinations.
twothunder
Member
checked activity but nothing weird
Changed passwords and added two-step regardless
Changed passwords and added two-step regardless
- Status