A number of people have let me know they've received blackmail emails where the scammer has sent them an email and the email includes their actual password.
First, most of these emails are a scam designed to scare people and to get people to do what they want them to do. That is usually to pay a ransom in bitcoin.
Is the password really the person's password. Yes it is.
Did they really infect the person's computer and get their password whilst doing something embarrassing such as watching porn? The answer is almost certainly not. It is possible, but very, very unlikely.
How then did the scammers get the passwords?
Many popular sites have been hacked and the usernames (email addresses) and passwords stolen. This may have been done some time ago, but since people tend to keep using the same password across multiple accounts with the same email address, if one account gets hacked then if you're using the same email address and password across a number of accounts. then all accounts in effect can be accessed. A hacker only needs to use an automated tool (or low cost labour) and test the credentials on the major sites and they'll be able to get into many sites. They are not targeting you personally, to them you're just a numbers game. The more accounts they try the more they'll get into.
I've always felt using your email address was a bad change that occurred in security. In the past a username was not your email address, but a username you nominated. Once the trend set in to use the email address as the username, half the security was lost. It's like having a security door and your front door, both with locks and then leaving the security door unlocked. In effect one of the two points of home security is lost. The same is true when an email address is used as a username. Our email address is used and known by many around us. It's very easy to check using a very simple program if an email address is valid. In effect an email address becomes public. So instead of having a username and password stopping people, you only have the password.
Given people are not that different even if we think we're using a difficult password, chances are hundreds or even thousands of others are using exactly the same password. If you use a common or easy password that can be tested in combination with your email address. That requires work. However if large sites get hacked the encrypted passwords are stolen and given time, they can be worked out. The hacker then has both the username and password. The scammer uses this information to send you an email, which to you can be quite scary.
I decided to do a quick check and find some of the sites that have been hacked in the past. If you're using any of these sites and haven't changed your password recently, you really should.
What else should you do.
If you can sign up to a site using a username (not an email address) that you create and a password you create, they're more secure than using your email address as a username. That's also better than signing up with your Facebook account or Google account. Those who sign up with a service like Facebook or Google (e.g. Gmail) to access services risk all their services if their account on Google or Facebook becomes known. Even worse, if you use the same email address and password on Facebook and Google services as you do on other services.
Next use a unique, difficult and different password on every service you join. Yes, it's a pain, but absolutely necessary.
As for password generators I personally don't trust them. Others do, but I don't. Password generating software has been hacked as well. Letting your passwords get saved by your browser is also something I don't do. Browsers can get hacked.
The following is a link to a site which recently posted an article on the number of unique accounts (email address and passwords) they've collected from various nefarious sources. Remember hackers sell this information to make money and in doing so, have to make the information available. In total they've collected 773 million and more being added. When you have that level of information you can pull out the most commonly used passwords people used. I once did this for mobile phone pin numbers and found by using the top 100 pin numbers you could in theory, on average, unlock one in every six mobile phones your tried. A similar approach can be used with passwords.
https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
On this site you can supposedly check if your email address has been found in a hacked database and further, you can check if your password is known, or one of the common passwords. I'd highly recommend you do not use any service to check your email address or password. You simply don't know who you are giving that information to. Even if I ran a service I'd still suggest that people didn't use it. That's why I don't provide such a service.
Assume that your email address is known. There's nothing you can do about that. If you've been using the same password for some time it's time you changed it. Assume your email address / password combination has been hacked somewhere. If you can, sign up to services that use a username that isn't an email address. Think about using different email addresses for different types of services. For really important services that present considerable risk (e.g. banks) make the extra effort not to use a username or password combination you've used elsewhere and make sure you update it regularly. Keep in mind, even updating a username/password may represent a risk if you have an infected computer. The password that was previously not known is now replaced with a password that is known, if you're computer is infected at the time of updating.
Security does take some effort but in the end it's worth the effort.
Here's a short list of some of the hacked sites and the articles where mentioned.
https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/
Dubsmash (162 million),
MyFitnessPal (151 million)
MyHeritage (92 million)
ShareThis (41 million)
HauteLook (28 million)
Animoto (25 million)
EyeEm (22 million)
8fit (20 million)
Whitepages (18 million)
Fotolog (16 million)
500px (15 million)
Armor Games (11 million)
BookMate (8 million)
CoffeeMeetsBagel (6 million)
Artsy (1 million)
DataCamp (700,000)
The below site lists many sites that have been hacked. I've listed a few of the one's that stand out to me.
https://haveibeenpwned.com/PwnedWebsites
Adobe (152 million)
Ancestry (279 thousand)
Ashley Madison (31 million)
Avast (423 thousand)
Bitly (9.3 million)
Canva (137 million)
Disqus (17 million)
Dropbox (68 million)
Elance (1.3 million)
Imgur (1.7 million)
Kickstarter (5 million)
Last.fm (37 million)
LinkedIn (164 million)
MySpace (359 million)
Neopets (26 million)
Snapchat (4 million)
Trillian (3 million)
Tumblr (65 million)
Zomato (16 million)
The above list is not conclusive. If you are wondering if a site you use has been hacked then do a search in Google for the site name and the word hacked. See if anything comes up and if it does, it's time to think about changing the password.
Out of curiosity I decided to search for the top 100 passwords. If your password is on the list, well, what can I say. Time to put more effort into security. The Forbes site had the following list. (Credit https://www.forbes.com/sites/daveywinder/2019/12/14/ranked-the-worlds-100-worst-passwords/#11dab34f69b4)
12345
123456
123456789
test1
password
12345678
zinch
g_czechout
asdf
qwerty
1234567890
1234567
Aa123456.
iloveyou
1234
abc123
111111
123123
dubsmash
test
princess
qwertyuiop
sunshine
BvtTest123
11111
ashley
00000
000000
password1
monkey
livetest
55555
soccer
charlie
asdfghjkl
654321
family
michael
123321
football
baseball
q1w2e3r4t5y6
nicole
jessica
purple
shadow
hannah
chocolate
michelle
daniel
maggie
qwerty123
hello
112233
jordan
tigger
666666
987654321
superman
12345678910
summer
1q2w3e4r5t
fitness
bailey
zxcvbnm
fuckyou
121212
buster
butterfly
dragon
jennifer
amanda
justin
cookie
basketball
shopping
pepper
joshua
hunter
ginger
matthew
abcd1234
taylor
samantha
whatever
andrew
1qaz2wsx3edc
thomas
jasmine
animoto
madison
0987654321
54321
flower
Password
maria
babygirl
lovely
sophie
Chegg123
I hope others find this information a timely reminder to think about their passwords and how they're used across multiple sites.
Kelvin Eldridge
www.OnlineConnections.com.au
First, most of these emails are a scam designed to scare people and to get people to do what they want them to do. That is usually to pay a ransom in bitcoin.
Is the password really the person's password. Yes it is.
Did they really infect the person's computer and get their password whilst doing something embarrassing such as watching porn? The answer is almost certainly not. It is possible, but very, very unlikely.
How then did the scammers get the passwords?
Many popular sites have been hacked and the usernames (email addresses) and passwords stolen. This may have been done some time ago, but since people tend to keep using the same password across multiple accounts with the same email address, if one account gets hacked then if you're using the same email address and password across a number of accounts. then all accounts in effect can be accessed. A hacker only needs to use an automated tool (or low cost labour) and test the credentials on the major sites and they'll be able to get into many sites. They are not targeting you personally, to them you're just a numbers game. The more accounts they try the more they'll get into.
I've always felt using your email address was a bad change that occurred in security. In the past a username was not your email address, but a username you nominated. Once the trend set in to use the email address as the username, half the security was lost. It's like having a security door and your front door, both with locks and then leaving the security door unlocked. In effect one of the two points of home security is lost. The same is true when an email address is used as a username. Our email address is used and known by many around us. It's very easy to check using a very simple program if an email address is valid. In effect an email address becomes public. So instead of having a username and password stopping people, you only have the password.
Given people are not that different even if we think we're using a difficult password, chances are hundreds or even thousands of others are using exactly the same password. If you use a common or easy password that can be tested in combination with your email address. That requires work. However if large sites get hacked the encrypted passwords are stolen and given time, they can be worked out. The hacker then has both the username and password. The scammer uses this information to send you an email, which to you can be quite scary.
I decided to do a quick check and find some of the sites that have been hacked in the past. If you're using any of these sites and haven't changed your password recently, you really should.
What else should you do.
If you can sign up to a site using a username (not an email address) that you create and a password you create, they're more secure than using your email address as a username. That's also better than signing up with your Facebook account or Google account. Those who sign up with a service like Facebook or Google (e.g. Gmail) to access services risk all their services if their account on Google or Facebook becomes known. Even worse, if you use the same email address and password on Facebook and Google services as you do on other services.
Next use a unique, difficult and different password on every service you join. Yes, it's a pain, but absolutely necessary.
As for password generators I personally don't trust them. Others do, but I don't. Password generating software has been hacked as well. Letting your passwords get saved by your browser is also something I don't do. Browsers can get hacked.
The following is a link to a site which recently posted an article on the number of unique accounts (email address and passwords) they've collected from various nefarious sources. Remember hackers sell this information to make money and in doing so, have to make the information available. In total they've collected 773 million and more being added. When you have that level of information you can pull out the most commonly used passwords people used. I once did this for mobile phone pin numbers and found by using the top 100 pin numbers you could in theory, on average, unlock one in every six mobile phones your tried. A similar approach can be used with passwords.
https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
On this site you can supposedly check if your email address has been found in a hacked database and further, you can check if your password is known, or one of the common passwords. I'd highly recommend you do not use any service to check your email address or password. You simply don't know who you are giving that information to. Even if I ran a service I'd still suggest that people didn't use it. That's why I don't provide such a service.
Assume that your email address is known. There's nothing you can do about that. If you've been using the same password for some time it's time you changed it. Assume your email address / password combination has been hacked somewhere. If you can, sign up to services that use a username that isn't an email address. Think about using different email addresses for different types of services. For really important services that present considerable risk (e.g. banks) make the extra effort not to use a username or password combination you've used elsewhere and make sure you update it regularly. Keep in mind, even updating a username/password may represent a risk if you have an infected computer. The password that was previously not known is now replaced with a password that is known, if you're computer is infected at the time of updating.
Security does take some effort but in the end it's worth the effort.
Here's a short list of some of the hacked sites and the articles where mentioned.
https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/
Dubsmash (162 million),
MyFitnessPal (151 million)
MyHeritage (92 million)
ShareThis (41 million)
HauteLook (28 million)
Animoto (25 million)
EyeEm (22 million)
8fit (20 million)
Whitepages (18 million)
Fotolog (16 million)
500px (15 million)
Armor Games (11 million)
BookMate (8 million)
CoffeeMeetsBagel (6 million)
Artsy (1 million)
DataCamp (700,000)
The below site lists many sites that have been hacked. I've listed a few of the one's that stand out to me.
https://haveibeenpwned.com/PwnedWebsites
Adobe (152 million)
Ancestry (279 thousand)
Ashley Madison (31 million)
Avast (423 thousand)
Bitly (9.3 million)
Canva (137 million)
Disqus (17 million)
Dropbox (68 million)
Elance (1.3 million)
Imgur (1.7 million)
Kickstarter (5 million)
Last.fm (37 million)
LinkedIn (164 million)
MySpace (359 million)
Neopets (26 million)
Snapchat (4 million)
Trillian (3 million)
Tumblr (65 million)
Zomato (16 million)
The above list is not conclusive. If you are wondering if a site you use has been hacked then do a search in Google for the site name and the word hacked. See if anything comes up and if it does, it's time to think about changing the password.
Out of curiosity I decided to search for the top 100 passwords. If your password is on the list, well, what can I say. Time to put more effort into security. The Forbes site had the following list. (Credit https://www.forbes.com/sites/daveywinder/2019/12/14/ranked-the-worlds-100-worst-passwords/#11dab34f69b4)
12345
123456
123456789
test1
password
12345678
zinch
g_czechout
asdf
qwerty
1234567890
1234567
Aa123456.
iloveyou
1234
abc123
111111
123123
dubsmash
test
princess
qwertyuiop
sunshine
BvtTest123
11111
ashley
00000
000000
password1
monkey
livetest
55555
soccer
charlie
asdfghjkl
654321
family
michael
123321
football
baseball
q1w2e3r4t5y6
nicole
jessica
purple
shadow
hannah
chocolate
michelle
daniel
maggie
qwerty123
hello
112233
jordan
tigger
666666
987654321
superman
12345678910
summer
1q2w3e4r5t
fitness
bailey
zxcvbnm
fuckyou
121212
buster
butterfly
dragon
jennifer
amanda
justin
cookie
basketball
shopping
pepper
joshua
hunter
ginger
matthew
abcd1234
taylor
samantha
whatever
andrew
1qaz2wsx3edc
thomas
jasmine
animoto
madison
0987654321
54321
flower
Password
maria
babygirl
lovely
sophie
Chegg123
I hope others find this information a timely reminder to think about their passwords and how they're used across multiple sites.
Kelvin Eldridge
www.OnlineConnections.com.au
No comments:
Post a Comment