• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
  • The Politics forum has been nuked. Please do not bring political discussion to the rest of the site, or you will be removed. Thanks.

Account "Hacks": Why do they happen & What you can do?

RexNovis

Banned
Sep 8, 2013
7,105
3
0
JAPAN
twitter.com
Disclaimer: This thread was made with the intention of being a source of useful and relevant information as a response to a large amount of confusion and frustration surrounding what is a very controversial topic. This took a significant amount of time to put together. Should any information be inaccurate I will be doing my best to update as necessary. Again, I repeat this thread is meant to inform. Please do not use this thread for console warz.​

There's been a lot of frustration and confusion surrounding a recent surge in game console account "hacks." What I've noticed is that there is a lot of misinformation and misattributed blame being thrown out there when comes to these "hacks" and most notably there's a distinct lack of awareness as to how one can protect their own accounts from being compromised. So, I decided to make this thread in which I will attempt to comprehensively detail the most prevalent causes for these recent breaches and the most effective preventative measures you can personally take to exponentially reduce the chances of a personal breach.

First let's talk about the causes. There are three commonly cited causes for instances of accounts being compromised.

The first are key loggers.
Key loggers are often cited as a cause for account comprises but in reality with the widespread of availability and access to free comprehensive virus protection services incidents of key loggers compromising passwords are becoming significantly less common.​

The second is Social Engineering
Social engineering (or the use of readily available private data such as phone numbers, addresses etc) to exploit account support systems into granting access to otherwise secure accounts is a rapidly growing concern. However, the use of such strategies usually relies heavily on information gleaned from unrelated online breaches resulting in the trading and selling of such sensitive information online. These type of attacks are also, by their nature, very targeted attacks so they are still significantly less widespread thanks to the added time and effort that is often required as compared to other methods​

The third is the breach/leak of account info from unrelated less secure sites/services.
In the VAST majority of recent cases the root cause for these compromised accounts lies with the widespread use of same or similar passwords across multiple accounts online. You might be wondering "why are shared passwords such a concern?" Well in the past three years there have been an unprecedented amount of compromised websites, forums and services leading to a flood of username, emails and passwords for sale, trade and cross reference online. These online info dumps are often sold and traded online amongst would be hackers and beneficiaries on what is known as the "darknet" (a sort of Internet subsystem only accessible via direct urls/pathways and hidden from search engines and the like).​

The reason this information is (rightfully) seen as so valuable is because with some of the earliest mass breaches ( like Yahoo in 2011) it was discovered that, on average, more than 80% of the users with accounts for multiple breached sites used the exact same email and password combinations across those otherwise unrelated sites. So, this means that, more often than not, passwords from unrelated often trivial sites and forums with what amounts to very little or no data security will be applicable when cross referenced with more sensitive payment and financial related sites/services such as PayPal, Online Banking, Amazon and even PSN/XBL.

Now knowing that such a high number of people share passwords across multiple accounts/sites/services you might be thinking "that would never happen to me." Well let's take a look at some of the bigger mass data breaches that included usernames emails and passwords in the past 3 years. Please keep in mind these are only some of the breaches that we know for a fact have been sold or referenced on the "darknet."

A list of some of the biggest/most relevant online account breaches in the past 3 years:

  • Adobe: This includes accounts created for Photoshop, Forums, and Flash Player.
    Total: 155 million accounts

  • AdultFriendFinder: all accounts created prior to the hack in 2015 including most deleted accounts were compromised.
    Total: 4.7 million accounts

  • Android Forums: all current accounts were compromised.
    Total: 1 million accounts

  • AshleyMadison: All past and current accounts were compromised.
    Total: 30 million accounts

  • Avast Antivirus: Paid subscriber accounts were all compromised leading to Avast forcing a password reset for all accounts after the hack in 2014.
    Total: 500k accounts

  • Battlefield Heroes: while the hack occurred back in 2011 the data was not sold openly online until 2013.
    Total: >500k accounts

  • BeautifulPeople: All current accounts as of Nov 2015 were compromised. This included not only emails, usernames and passwords but also dates of birth, home addresses, Job titles, names, and even income levels.
    Total: 1.1 million

  • Bell Canada: All accounts were compromised including any attached credit card information.
    Total: 50k accounts

  • BitTorrent Forums: All current accounts on the forum were compromised and data also included personal IP Addresses.
    Total: Unknown

  • Boxee: All current user accounts as of March 2014 were leaked. This included dates of birth, addresses, previous passwords, private messages and all other site related data.
    Total: 160k accounts

  • Cannabis .com: All accounts both current and previous were leaked. Data included IP Addresses, previous passwords, instant messaging usernames, and more.
    Total: 230k accounts

  • Comcast: Multiple subsets of Comcast accounts in specific regions on the East Coast of America were ousted for sale. The most recent of which was in Nov 2015 and included 590k accounts in just that one sale. It is unkind how many accounts were included in previous sales.
    Total: Unknown

  • DC Universe Online: An unknown number of accounts for this online game were sold in multiple occasions over the course of 2014 leading to a forced password reset for most PC accounts.
    Total: Unknown

  • Dominos Pizza: Accounts from dominos pizza websites have been sold online on multiple occasions by region and country. Accounts from US, France, Japan, and Belgium are known to have been sold online. Recently accounts from France were held in ransom by a hacker collective and publicly released when Dominos refused to pay.
    Total: Unknown

  • Dungeons and Dragons Online: All user accounts both past and present as of August 2013 were sold online.
    Total: 1.6 million Accounts

  • Final Fantasy Shrine Forums: All account data was publicly leaked online in Sept 2015 and it was discovered that of emails with corresponding FFXIV accounts over 80% used the same passwords for both accounts.
    Total: >620k accounts


    [*]Forbes .com: Accounts for the Forbes website were publicly leaked in March 2014 as retaliation for what the hackers claimed was a Syrian hate campaign on behalf of Forbes coverage of events in Syria.
    Total: >1 million accounts


    [*]Gawker Media: In retaliation for negatively skewed coverage of 4 chan a substantial number of accounts across all Gawker owned websites were publicly leaked.
    Total: >1.3 million accounts


    [*]Gmail .com: A large number of gmail accounts and associated passwords were ousted for sale in September 2014. It is unknown how many accounts were compromised in total all we know is the number that was sold.
    Total: >5 million accounts sold


    [*]KM .ru: A large cache of accounts associated with this Russian email service were posted for sale online in February 2016 with another unknown cache posted for sale in June.
    Total: >1.7 million accounts


    [*]Lifeboat Minecraft Forums: All user accounts for this incredibly popular Minecraft community were breached and leaked online.
    Total: 7 million accounts


    [*]LinkedIn: Thus was a huge one. One of the biggest account breaches in internet history occurred on LinkedIn back in 2012 with the data remaining private up until just this past May in 2016 when over 164 million accounts were leaked publicly for cross reference online. It is believed this leak consisted of ALL LinkedIn accounts set up prior to 2012. It all represented the single largest influx of new accounts and passwords online in the past 6 years.
    Total: >164 million accounts


    [*]Linux Mint Website: The official website for the increasingly popular Linux distro was breached resulting in the leaking of dates of birth, IP addresses, and more.
    Total: 145k accounts


    [*]Lord of the Rings Online: Account data for this online MMO was being publicly traded online as early as August 2013. It is believed all accounts created prior to that date were leaked in excess of 1.1 million accounts.


    [*]MajorGeeks .com: A large number of accounts from this popular freeware and software download site were publicly traded and sold online as early as Nov 2015.
    Total: 270k accounts


    [*]MalwareBytes Forum: user accounts for the official forums of this antivirus service were leaked online and sold as early as November 2014.
    Total: 111k accounts


    [*]Mate1 .com: All accounts and all associated data on this popular dating site were leaked online after a massive breach in February 2016.
    Total: >27 million accounts


    [*]NaughtyAmerica .com: all accounts for this popular porn site were stolen in March 2016 and sold online.
    Total: 1.4 million


    [*]NextGenUpdate .com: This video game website and its accompanying forum suffered a breach sometime in early 2014 leaded to the sale of all of its account info.
    Total: ~1.2 million accounts


    [*]Nexus Mods: This popular game mod hosting hub was breached in July of 2013 resulting in the leak and subsequent sale of all user account data both past and present.
    Total: ALL exact number Unknown


    [*]Patreon .com: More than 16gb of data including all user account information was stolen in October of 2015. Only after the pertinent data was fully decrypted in February of this year have these accounts been slowly spreading for sale and trade online. Thus far over 2.3 million unique accounts have been identified as compromised with the remainder likely available out there somewhere.
    Total: ALL or >2.3 million accounts


    [*]PLEX: The online forums for this popular video streaming service/application were compromised in July 2015 resulting in the release of all user account data.
    Total: >327k accounts


    [*]PS3Hax This hacking and modding website for PS3 was breached in July 2015 resulting in the loss of all account data. Many of these accounts were leaked with PSN ids resulting in east cross referencing and account phishing.
    Total: >447k accounts


    [*]PSX-SceneAll user data for this forum and website were compromised sometime around Feb 2015 and promptly released online. Many of these accounts were leaked with PSN ids resulting in east cross referencing and account phishing.
    Total: >340k accounts


    [*]Snapchat: this service was breached shortly after an article detailing its security vulnerabilities was published in Jan 2014. The resulting account dump represents a significant breach as it attached many existing known accounts with their corresponding phone numbers therefore enabling these accounts across other services to be compromised via social engineering with their corresponding support systems.
    Total: >4.6 million accounts


    [*]Target: a massive company wide breach resulted in the retrieval and sale of all current Target loyalty, rewards, credit card and customer accounts both online and retail. It is currently unknown just how many accounts there were but ever single one of them was compromised leading to a huge influx of unique usernames, emails, phone numbers and passwords available online opening up not only many straight password crossovers but also a large number of support password resets via the other leaked info affiliated with each email address and username.
    Total: ALL exact number unknown


    [*]Tumblr: The popular site was breached some time in early 2013 resulting in its user accounts being sold online over the remainder of the year.
    Total: >65million accounts


    [*]VTech: All user accounts in this popular educational resource site were leaked including security questions, dates of birth, phone numbers, and addresses opening many accounts up for compromise via social engineering on various other websites.
    Total: >5 million accounts


    [*]Wildstar: User accounts for this MMO started to pop up for sale online in July of 2015. All accounts made prior to the first appearance of sale are suspected to have been compromised.
    Total: ALL exact number Unknown


    [*]Xbox-Scene: This semi popular Xbox fan forum was totally breached in February of 2015 resulting in the leak of passwords that were often directly attached to gamer tags allowing for easy cross referencing.


    [*]YouPorn: This incredibly popular porn site was breached in Feb 2013 resulting in the loss of all account data.
    Total: >1.3 million accounts


You can also check to see if your personal account info has been a part of any of the publicly available/known leaks by entering your email into this website and searching. This site cross references your email with all known leaked data and tells you if, where, and when its been compromised.

Now keep in mind this is only data that has been released online in the past 3 years and it's only the biggest most relevant of the known breaches. As you can see it is becoming easier and easier for certain elements to obtain account data and cross reference it with other popular services in order to exploit shared or similar passwords across said services. It's no surprise then that this is by far the leading cause for compromised accounts (gaming or otherwise) especially when considering the large amount of data that became widely available and publicly circulated only just recently.

So, now that we know the various causes let's answer the most important question:

How can I protect myself from these breaches on XBL or PSN?

2 factor authentication is one method of protecting yourself when available but it is by no means the end all be all when it comes to account security. This is especially true given the recent trend of phone numbers, addresses and other pertinent personal information being tied to modern info leaks. While the use of 2FA does vastly reduce the chances of your account being compromised, accounts with 2FA can have their second factor compromised via phone spoofing, insecure email accounts or even just social engineering using customer support to override it. 2FA can also be inconvenient should you lose access to the phone or email it is attached to.

The single easiest way to protect yourself is actually remarkably simple create a completely unique password for any and all accounts associated with payments/purchases. There are even password managers such as 1password and LastPass designed for this very thing. They randomly generate unique passwords and secure them behind their comprehensive encryption services that can then be accessed using a single key of your choosing. Should you wish to be even more secure you can opt to update your password regularly be it yearly or otherwise. Furthermore you can even opt to remove any payment information following each transaction to absolutely ensure no purchases could be made in the slim chance of a breach still occurring.

Unique passwords DRAMATICALLY decrease the chances of your account being compromised on these services as they are no longer susceptible to the breaches experienced by so many of these other services and sites. These days using the same password across multiple (or heaven forbid all) accounts is basically begging for email accounts and accounts with financially impactful data attached to be compromised sooner or later. As such, using unique keys for each such account exponentially decreases the chances of being compromised.

So, to summarize, please make sure to do the following in order to protect your personal account info

  1. Don't ever use the same password across multiple financially sensitive or email sites/accounts.

  2. Don't use an easily cracked password like "password" or any other minor variation. Instead, consider using three entirely unrelated words or a randomly generated password manager as these are the most difficult sort of passwords to crack.

  3. Use 2-step verification whenever available especially for your account related email.

  4. Consider creating more than one email account with completely different names and passwords for registering financially sensitive accounts.

  5. If you can avoid storing sensitive financial info by using pre-paid cards, do so.

  6. Safeguard your PC from Trojans and key loggers by updating and running an antivirus regularly

While companies could undoubtedly do more to help secure your information or protect you from financial fallout (honestly every company could) it is important to understand that the vast majority of these compromised accounts are not hacks or security breaches of their individual networks. As such they should not, in my opinion, be called "hacks" as it implies a level of fault and suspicion that is entirely unmerited and perpetuates potentially damaging assumptions and misinformation amongst the less informed. The truth is no amount of security options will protect your account if you don't take your own personal security seriously. These companies are not liable for breaches across other sites/account systems/services (nor should they be blamed when this data is used to compromise accounts on their service in my opinion). Nor is this a problem of limited to one specific network (yes despite what you might believe XBL is susceptible to this sort of as well) While 2 factor authentication is becoming a more popular way of curbing this particular issue, in my opinion, in the grand scheme of things it's only a bandaid for a widespread user specific problem: using the same and/or similar passwords across multiple accounts and services. Make no mistake, doing so is basically the Internet equivalent of playing with fire as it becomes not a question of if you'll get burned but when.

TLDR: Please learn from the errors of your peers and heed the advice of security experts: stop being passive about your own personal information security. Take the necessary steps mentioned above to secure your own information [unique passwords, 2FA, etc] yourself because, in this day and age, when it comes to your personal and financial information online you are quite literally your own worst enemy.

Should anyone have any further helpful advice or information please do post it below. My hope is that this thread will be a valuable resource for people looking to further secure their accounts online.

Edit: The following will be regularly updated to the best of my ability with recent relevant private data dumps

Code:
[b]Trillian[/b]
In December 2015, the instant messaging application Trillian suffered a data breach. The data was released July 2016 and exposed various personal data attributes including names, email addresses and passwords stored as salted MD5 hashes.
Total  - [U]3,800,000 breached accounts[/U]

[B]17[/B] 
In April 2016, customer data obtained from the streaming app known as "17" appeared listed for sale on a Tor hidden service marketplace. The data contained over 4 million unique email addresses along with IP addresses, usernames and passwords stored as unsalted MD5 hashes.
Total - [U]4,000,000 breached accounts[/U]

[B]Neopets[/B]
In June 2016, a set of breached data originating from the virtual pet website "Neopets" was found being traded online. Allegedly hacked "several years earlier", the data contains sensitive personal information including birthdates, genders and names as well as almost 27 million unique email addresses. Passwords were stored in plain text and IP addresses were also present in the breach.
Total - [U]26,900,000 breached accounts[/U] 

[B]Warframe[/B]
Warframe was hacked and 819k unique email addresses were sold in late June 2016. The attack exposed usernames, email addresses and payment data. Digital Extremes (the developers of Warframe), claims the info is only "alias names" rather than passwords but recently available data shows otherwise.

[i]Edit: As per [url=http://m.neogaf.com/showpost.php?p=210804795]Kayant[/url] this breach occured in Nov 2014 and it's only the data that was recently released.[/i]

Total  - [U]819,000 breached accounts[/U]
 

mattiewheels

And then the LORD David Bowie saith to his Son, Jonny Depp: 'Go, and spread my image amongst the cosmos. For every living thing is in anguish and only the LIGHT shall give them reprieve.'
Dec 1, 2004
15,881
3
1,545
I just got a login key notification on my Steam app on my phone that I didn't initiate at all. Thank god for 2-step, I guess.
 

Octavianus

Banned
Nov 23, 2014
4,961
0
0
Huh, good thing I never made a serious profile on BeautifulPeople.com.
I think I had a picture of rank N. Furter on it that miraculously got accepted.
 

low-G

Member
May 6, 2010
6,260
1
0
Yeah, my main Comcast email was listed as one of those stolen last November. Only found out about a month ago. By pure chance I changed my password on that account later that same month. Saved myself a headache completely randomly.
 

RexNovis

Banned
Sep 8, 2013
7,105
3
0
JAPAN
twitter.com
Yeah, my main Comcast email was listed as one of those stolen last November. Only found out about a month ago. By pure chance I changed my password on that account later that same month. Saved myself a headache completely randomly.

Well that's certainly lucky of you. I hope you haven't used the password for that Comcast account elsewhere. If so you should change those passwords ASAP too.
 

mrklaw

MrArseFace
Jun 10, 2004
59,891
2
0
Windsor, UK
That list is useful when you combine it with the likelihood that you use multiple accounts with the same login details. That's the part that never clicked with me until recently. I have used one email address for most accounts and although financial/online store websites I use a password generator for, others like forums etc I'll usually just use one of a few passwords I've memorised.

But since getting fucked over by team user and someone dialling into my computer I have two factor on as many services as possible, and I've not only got unique passwords for any site that is important, I also set up a bunch of separate email addresses so they are also unique across my critical sites - banking, anything using a credit card etc.

I a,so have my last pass set to sign out when idle for a short time or when chrome closes - a PITA when I need to use my phone to authenticate on login, but better than it being too open.
 

Pif

Banned
Jul 4, 2015
2,459
0
0
I use 25+ passwords in absolute gibberish with special characters thrown in.

I hope I'm safe. Never happened to me.
 

Coreda

Member
May 27, 2013
7,732
5
0
It's actually already linked in the OP so no need to repost it.

Might be a good idea to place it before the list for greater visibility, and perhaps wrap the heading sections in quote tags to visually break up the text a bit. Up to you. Eg:

Below are a list of some of the biggest/most relevant online account breaches in the past 3 years.

To check if your email has been leaked in any known breaches use this site.

There's a lot of good info there.
 

-shadow-

Member
Sep 22, 2015
5,496
3
390
My very old email from Adobe was grabbed and my older current one on FFShrine. Which sucks because outside of that one it seems my details have thankful been saved. But so far nothing suspicious has happened to me and I change my password every half year for something unique. So hopefully it stays that way.

Edit: oh and it seems LinkedIn two months ago also. That sucks!
 

theindieboy

Member
Jan 18, 2016
461
0
0
Kent, England
Wow RexNovis amazing job collecting this information, think i am going to change a few things up, i do use several emails some just alt emails for main account others not, but still this is superscary Adobe looks likely to be my only breach, but go fobit anyone got into my psn account with all my purchases and 76 plats etc.

Thanks!!!!!
 

PnCIa

Member
Nov 26, 2005
2,780
0
1,405
Germany
Yesterday someone tried to log into my Steam account from China using my correct username AND password. I was shocked and changed virtually everything and checked all my devices. So weird.
 

Kayant

Member
Feb 25, 2014
6,015
0
0
Also recommend using Authy or Authenticator Plus(Which I personally use) for added protection for 2FA as you can use a pin to secure your accounts compared to Google Authenticator which is wide open.

Also if you use to use Authenticator Plus you can export your 2FA accounts to WinAuth which is a PC based 2FA app.

Keepass also a good alternative if you want something free with all features and control which cloud service to save your data to.
 

Tunesmith

formerly "chigiri"
Oct 16, 2004
9,638
0
1,420
Also if you use to use Authenticator Plus you can export your 2FA accounts to WinAuth which is a PC based 2FA app.

I'd personally caution the use of any 2FA app based on the same device as the one you're logging on to accounts with as in the case of a PC. It directly nullifies the added security layer that 2FA normally adds if your PC is compromised.
 

Kysen

Member
Oct 6, 2012
5,397
1
0
I had someone from Turkey log into my steam account yesterday. If it wasn't for steam guard I would be fucked. I was kinda lazy in that being my only account where I used a password I could actually remember (password manager/authenticator for rest).
 

RexNovis

Banned
Sep 8, 2013
7,105
3
0
JAPAN
twitter.com
Another site that may have affected GAFers is videogamesplus.ca.

Oh thanks for the heads up! Do we have any further info on how much data leaked? If we can get some more information I'll toss it up in the OP.

Wow RexNovis amazing job collecting this information, think i am going to change a few things up, i do use several emails some just alt emails for main account others not, but still this is superscary Adobe looks likely to be my only breach, but go fobit anyone got into my psn account with all my purchases and 76 plats etc.

Thanks!!!!!

Glad to see you and others getting some use out of the information. I hope to see many more learn a bit about the realities of account security in the modern age. The more informed people are the less potentially lucrative these sorts of things would be for would be criminals and decreased efficiency/monetary gain is a fantastic deterrent.

This really should be "don't ever use the same password".

Baby steps man.

Might be a good idea to place it before the list for greater visibility, and perhaps wrap the heading sections in quote tags to visually break up the text a bit. Up to you. Eg:

There's a lot of good info there.

I can see what you mean but I really dislike using quotations for formatting emphasis as I personally find it confusing. It's kind of a pet peeve of mine haha.
 

Belgorim

Member
May 17, 2007
1,371
80
1,260
Sweden
Also had a steam breach yesterday. Email not listed as owned though, so no idea where they got it from. Steam guard was active though.
 

PnCIa

Member
Nov 26, 2005
2,780
0
1,405
Germany
I just got a login key notification on my Steam app on my phone that I didn't initiate at all. Thank god for 2-step, I guess.

Someone in Mexico tried logging into my Steam account yesterday, thankfully they detected the suspicious activity and emailed me. I thought it was a rather secure password too, I must have used it somewhere else that got hacked.

I had someone from Turkey log into my steam account yesterday. If it wasn't for steam guard I would be fucked. I was kinda lazy in that being my only account where I used a password I could actually remember (password manager/authenticator for rest).

Also had a steam breach yesterday. Email not listed as owned though, so no idea where they got it from. Steam guard was active though.
Huh. I have no idea if this happens every day and just a lot of people are posting about it in here...or if there is a security problem?
 

jacksepticeye

Member
Feb 15, 2013
7,197
0
0
Google Authenticator is also a Godsend for sites and apps that allow it. Randomly generating a random code on your phone every 30 or so seconds. That's what I love about Steam's setup too
 

low-G

Member
May 6, 2010
6,260
1
0
Well that's certainly lucky of you. I hope you haven't used the password for that Comcast account elsewhere. If so you should change those passwords ASAP too.

Yes, I use unique passwords on every site now. Didn't used to except on sites that take money: MMOs and pay sites, despite being aware of the risk, until many breaches back around 2010's...
 

RealityCheque

Banned
Sep 19, 2014
3,367
1
0
Ireland
But popular movies about computer hacking in the 1990s assured me that "GOD" was a very secure password, and cool too!

Seriously though, remove payment info from your account. Use gift cards or, if you have to, PayPal on a case by case basis. No exceptions.
 

DarkCronos

Member
Jul 18, 2011
664
0
0
Italy
ilovevg.it
Use this to check if you have an account on a service that's been breached: https://haveibeenpwned.com/


apparently I have an account on 4 different breached services.
a few weeks ago my Origin/EA account got stolen by some russian guy,i managed to recover it though the customer assistance,and i changed ALL of my passwords. Now i know how they managed to stole my account in the first place
 

Orin GA

I wish I could hat you to death
Jun 6, 2004
5,543
7
1,570
I has a system

Unique Password for my Comcast Account

Unique Password for my Gmail/Google Account

Unique Password for sites that hold Banking/Credit Info

Unique Password for Steam and Trusted Store Merchants

Unique Password for sites that don't have hold of any personal info or low level security)

(Forums, Social Sites and the like)

So far the only site that I use a password for that was breached was the Nexus modding site.
 

Tunesmith

formerly "chigiri"
Oct 16, 2004
9,638
0
1,420
Figure I'd mention it here as it maybe affects a few who check in on this thread.

If you use Spark mail app on iOS it appears they may have had a breach of Apple IDs used on their service. There's a post on Reddit where there's a lot of (not confirmed) Spark users who've gotten their Apple IDs locked due to suspicious activity in the last day. Myself included, for the 1 Apple ID I have used on Spark.


"Has there been a breach of Apple IDs? Something weird is going on today."
http://reddit.com/r/apple/comments/4sw6hm/has_there_been_a_breach_of_apple_ids_something/
 

spazimoose

Member
Mar 7, 2016
262
0
0
California
Man in the middle attacks and phishing are a big problem too! Never log in to important accounts using insecure connections. Whenever your longing in to important accounts make sure the URL is the one you expected and that your using HTTPS wherever possible. Never trust links from emails or attachments! Security isn't hard, you just need to put in a little bit of effort here and there. Obligatory XKCD
 

magawolaz

Member
Mar 28, 2011
2,790
0
660
I remember I was in the clear with my main email on haveibeenpwned until a few months ago... just checked now and fucking Tumblr breach came up. I never even used tumblr that much.

But I can't remember the password I used at the time... I think I changed it following the 2014 "Hartbleed bug" notice, and I changed password and email again last january.
Hopefully I used a LastPass autogenerated password...
 

Tunesmith

formerly "chigiri"
Oct 16, 2004
9,638
0
1,420
This educational video on password cracking would be a good OP info candidate as well:

https://www.youtube.com/watch?v=7U-RbOKanYs
"Beast' cracks billions of passwords a second, Dr Mike Pound demonstrates why you should probably change your passwords... "

Highly recommended to watch. It’s quite enlightening on just how ridiculously easy it is to crack passwords that are typically perceived as 'safe'.
 

petran79

Banned
Sep 17, 2012
10,395
1,792
910
There are professional tools for this. Eg one friend of mine with help from a specialist, was able to log in to the Facebook account of an unknown person who claimed to have known him, while that person was logged in. He had to be silent while in his account or else he'd have been detected. He just saw that he was chatting with some girls so he did not bother afterwards.

Also inactive accounts are far less secure. If they see no activity they'll find way to tamper with it.
 

RexNovis

Banned
Sep 8, 2013
7,105
3
0
JAPAN
twitter.com
Updating the OP with the following breaches from which data was recently publicly released.

Trillian
In December 2015, the instant messaging application Trillian suffered a data breach. The data was released July 2016 and exposed various personal data attributes including names, email addresses and passwords stored as salted MD5 hashes.
Total - 3,800,000 breached accounts

17
In April 2016, customer data obtained from the streaming app known as "17" appeared listed for sale on a Tor hidden service marketplace. The data contained over 4 million unique email addresses along with IP addresses, usernames and passwords stored as unsalted MD5 hashes.
Total - 4,000,000 breached accounts

Neopets
In June 2016, a set of breached data originating from the virtual pet website "Neopets" was found being traded online. Allegedly hacked "several years earlier", the data contains sensitive personal information including birthdates, genders and names as well as almost 27 million unique email addresses. Passwords were stored in plain text and IP addresses were also present in the breach.
Total - 26,900,000 breached accounts
 

pelican

Member
Apr 16, 2007
3,848
0
0
Death Star
PSN needs 2 step/factor, no excuses.

It boggles the mind that Sony are still leaving the door open to potential account abuse.

All my digital accounts have 2 step security either via authentication apps on my iPad,or via SMS. All, bar PSN.

edit - Also use unique randomly generated passwords for each service and store them in an encrypted application.
 

RexNovis

Banned
Sep 8, 2013
7,105
3
0
JAPAN
twitter.com
PSN needs 2 step/factor, no excuses.

It boggles the mind that Sony are still leaving the door open to potential account abuse.

All my digital accounts have 2 step security either via authentication apps on my iPad,or via SMS. All, bar PSN.

edit - Also use unique randomly generated passwords for each service and store them in an encrypted application.

Did either of you even read the op before posting about 2FA?

I wrote in length about the various ways in which accounts are compromised these days and the methods that can be used to protect yourself of which 2FA is one. As useful as it would be its but the end all be all solution people make it out to be. It's basically a band aid for the underlying issue: reusing passwords across multiple sites and accounts.