• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Account "Hacks": Why do they happen & What you can do?

Justinh

Member
Great thread OP.

I use 2 factor with everything that allows it (I can't even look at my youtube subs without my phone nearby), but I also use a password generator for each password I create now and then add some at the end because I don't think they're long enough.

Unfortunately, my phone borked up during an update a few days ago, so I had to do a restore and lost some of my newer passwords. I've been meaning to write them all down in a little black book somewhere, and I guess putting it off for so long bit me in the ass. Had to do password recoveries for the better part of a day. Edit: also... not doing more regular backups of my phone bit me in the ass. Now I'm having a hard time getting an android app back and working on my phone (I use an oldish Blackberry)

I am terrified by the idea of key loggers...


My Steam account would get hacked every so often from 2007-2010. I have no idea how hackers gained access, I keep my computer pretty secure and I don't visit any weird sites. I would track down my account and see that someone has changed my user name, deleted all my friends, and had access to all of my previously purchased games. It was absolutely devastating for me everytime it happened. I always managed to get my account back through steam support, but the process was always long and nerve racking.

Steam introduced Steam Guard in 2011, and my Steam account has been hack free for several years now. It's maddening that more services do not have something like steam guard. I feel a lot safer knowing that hackers need access to my email before they can potentially break into my account.
Yeah, I'm hoping steamguard and a long ass unique password keeps me safe on Steam.
http://www.gameinformer.com/b/news/...77000-steam-accounts-hijacked-each-month.aspx
 

barit

Member
After getting hacked on Diablo 3 I learned my leason. The best and safest thing are these unique codes which you can get over an app on smartphone or over a seperate dongle (I think they are called mobile authenticator). I use it for Blizzard and FFXIV and still can use my 20-year-old-hacked-low-ass-secured password on these two sites :)
 
My Steam account would get hacked every so often from 2007-2010. I have no idea how hackers gained access, I keep my computer pretty secure and I don't visit any weird sites. I would track down my account and see that someone has changed my user name, deleted all my friends, and had access to all of my previously purchased games. It was absolutely devastating for me everytime it happened. I always managed to get my account back through steam support, but the process was always long and nerve racking.

Steam introduced Steam Guard in 2011, and my Steam account has been hack free for several years now. It's maddening that more services do not have something like steam guard. I feel a lot safer knowing that hackers need access to my email before they can potentially break into my account.
 

RexNovis

Banned
Heads up everyone looks like Warframe suffered an account breach:

Warframe
Warframe was hacked and 819k unique email addresses were sold in late June 2016. The attack exposed usernames, email addresses and payment data. Digital Extremes (the developers of Warframe), claims the info is only "alias names" rather than passwords but recently available data shows otherwise.
Edit: As per Kayant this breach occured in Nov 2014 and it's only the data that was recently released.
Total - 819,000 breached accounts
 

Justinh

Member
Heads up everyone looks like Warframe suffered an account breach:

Warframe
Warframe was hacked and 819k unique email addresses were sold in late June 2016. The attack exposed usernames, email addresses and payment data. Digital Extremes (the developers of Warframe), claims the info is only "alias names" rather than passwords but recently available data shows otherwise.
Total - 819,000 breached accounts

Oh geez...
Thanks for the heads-up. Guess I gotta change another password.
 

Kayant

Member
Heads up everyone looks like Warframe suffered an account breach:

Warframe
Warframe was hacked and 819k unique email addresses were sold in late June 2016. The attack exposed usernames, email addresses and payment data. Digital Extremes (the developers of Warframe), claims the info is only "alias names" rather than passwords but recently available data shows otherwise.
Total - 819,000 breached accounts
Where is the claim from btw? I can't seem to find it on what seems to be have been the first site to report this motherboard.vice

Also should be noted this happened last year.
 

RexNovis

Banned
Where is the claim from btw? I can't seem to find it on what seems to be have been the first site to report this motherboard.vice

Also should be noted this happened last year.

Ahh thanks for the extra info I'll update the op. My info came from an RSS news feed on account breaches. Currently on mobile w/o access to it.
 

Capella

Member
Ahh thanks for the extra info I'll update the op. My info came from an RSS news feed on account breaches. Currently on mobile w/o access to it.

Haveibeenpwned lists passwords as part of the compromised data:

In November 2014, the online game Warframe was hacked and 819k unique email addresses were exposed. Allegedly due to a SQL injection flaw in Drupal, the attack exposed usernames, email addresses and data in a "pass" column which adheres to the salted SHA12 password hashing pattern used by Drupal 7. Digital Extremes (the developers of Warframe), asserts the salted hashes are of "alias names" rather than passwords.

Compromised data: Email addresses, Passwords, Usernames, Website activity

I think right now it's just yet to be confirmed if what Digital Extremes says is true and that probably won't happen until those passwords are cracked and verified with users. Vice and Haveibeenpwned probably only verified that the emails where associated with Warframe accounts based on the description given for this entry.

Strange thing though, I have a Warframe account that was created before the breach but it's not showing up on Haveibeenpwned for me.
 

Kayant

Member
Ahh thanks for the extra info I'll update the op. My info came from an RSS news feed on account breaches. Currently on mobile w/o access to it.
Ha i see weird it's so distance from what was said maybe info was updated?
Haveibeenpwned lists passwords as part of the compromised data:



I think right now it's just yet to be confirmed if what Digital Extremes says is true and that probably won't happen until those passwords are cracked and verified with users. Vice and Haveibeenpwned probably only verified that the emails where associated with Warframe accounts based on the description given for this entry.

Strange thing though, I have a Warframe account that was created before the breach but it's not showing up on Haveibeenpwned for me.
Yh I think that is the same with me although not 100% sure what month I made account but it was in 2014 and my email isn't there.
 

RexNovis

Banned
Strange thing though, I have a Warframe account that was created before the breach but it's not showing up on Haveibeenpwned for me.

Yh I think that is the same with me although not 100% sure what month I made account but it was in 2014 and my email isn't there.

They may not have added the new data to the search table yet. From what I can tell they only posted the breach today. Maybe check again in a few days just to be sure.
 

zsidane

Member
Thanks for the informative thread!

I didn't know that Trillian was hacked :(
Changed my password to something like TrillianFailedMe (just for fun, since I deleted the account afterward);
 

Saintruski

Unconfirmed Member
Heads up everyone looks like Warframe suffered an account breach:

Warframe
Warframe was hacked and 819k unique email addresses were sold in late June 2016. The attack exposed usernames, email addresses and payment data. Digital Extremes (the developers of Warframe), claims the info is only "alias names" rather than passwords but recently available data shows otherwise.
Edit: As per Kayant this breach occured in Nov 2014 and it's only the data that was recently released.
Total - 819,000 breached accounts


One of the many things I practice is dissociation. Not only does everything I sign up for have a different email but they will have nothing to do with me, and neither does the info I signed up with. I keep all that info, usernames and passwords on an iron key which not only needs 2 passwords and a finger print to unlock but also a yubikey key which also needs a password to unlock itself. that's just the tip of the ice burg on how I lock my shit down and keep it secure. Lol I'm full tinfoil hat, I spent a lot of time in infosec and computer science getting degrees for the fun of it.
 

woopWOOP

Member
I wasn't even aware of the Patreon breach...

I always use a couple of different password combinations, some 8 keys long, some 4 keys, and just mix them as different combinations. Like [1][2][3], [1][4][2], [2][1][5], etc.

There's probably a few overlapping combinations tho so I was thinking of going by all my different accounts pretty soon and make sure there's isn't a single double.
 

Saintruski

Unconfirmed Member
I wasn't even aware of the Patreon breach...

I always use a couple of different password combinations, some 8 keys long, some 4 keys, and just mix them as different combinations. Like [1][2][3], [1][4][2], [2][1][5], etc.

There's probably a few overlapping combinations tho so I was thinking of going by all my different accounts pretty soon and make sure there's isn't a single double.


Interesting
 

RexNovis

Banned
I wasn't even aware of the Patreon breach...

I always use a couple of different password combinations, some 8 keys long, some 4 keys, and just mix them as different combinations. Like [1][2][3], [1][4][2], [2][1][5], etc.

There's probably a few overlapping combinations tho so I was thinking of going by all my different accounts pretty soon and make sure there's isn't a single double.

It's best just to create unique passwords for each account and not mix and match like your system currently entails. Perhaps conosder using one of the password managers I mentioned in the op. It could make the process much simpler for you.

One of the many things I practice is dissociation. Not only does everything I sign up for have a different email but they will have nothing to do with me, and neither does the info I signed up with. I keep all that info, usernames and passwords on an iron key which not only needs 2 passwords and a finger print to unlock but also a yubikey key which also needs a password to unlock itself. that's just the tip of the ice burg on how I lock my shit down and keep it secure. Lol I'm full tinfoil hat, I spent a lot of time in infosec and computer science getting degrees for the fun of it.

Haha wow that's pretty much as secure as it could possibly get. Clearly you know your stuff.
 

Kayant

Member

RexNovis

Banned
Bumping this again due to the recent surge of account "hack" threads. Hopefully it helps some people prevent potential account hijacks.
 

Asgaro

Member
Great initiative!

--------------------

My data has been found in around 10 breaches already. Checked https://haveibeenpwned.com/ as well as https://www.leakedsource.com/
The latter actually shows even more breached than the first site.
(Though the latter looks a bit suspicious. You can also purchase access to the data, which in my opinion seems like dark net business, no?)

About 2 months ago, I noticed suspicious activity on my Reddit account (check here https://www.reddit.com/account-activity ). Yes, I was reusing login and password combinations.

That was the finally straw, so now I'm using
- password manager ( https://www.safe-in-cloud.com/en/ )
- 2FA (Authy app) on as many services I could apply it: 15 services in total!
For a complete list, one can check https://twofactorauth.org/

--------------------

Should this get added to the list? https://motherboard.vice.com/read/apple-intel-google-employee-accounts-exposed-in-data-breach

Hackers have stolen thousands of accounts from a developers’ forum, including some belonging to Apple, Google, and Intel employees.

The data comes from the website of Khronos Group, a non-profit focused on the creation of open standard APIs for the playback of media files on various platforms and devices. The group manages Open Graphics Library (OpenGL), which is used by developers in everything from computer-aided design to video games.

There are quite a few game developers on here or lurking, I assume.
 

8bitghost

Member
Sony now find themselves in the same position as Microsoft in 2011 when the media began reporting on a spate of unauthorized transactions relating [mostly] to FIFA. There were so many compromised accounts that Microsoft felt compelled to issue a statement:

"We do not have any evidence the Xbox LIVE service has been compromised. We take the security of our service seriously and work on an ongoing basis to improve it against evolving threats."

The number of stolen XBL accounts continued to escalate in 2012 and early 2013, but Microsoft was sure that nothing was fundamentally wrong with their service:

"It's not a hack, it's really just a different way to monetise stolen accounts... Any service has compromises. Facebook has compromises, WOW has compromises. What they're really doing is trying to make money off those compromises. So FIFA is a very popular title - it's just a new way for the bad guys to make money. ... There's phishing, there's social engineering, there's malware. Based off of the industry today, most of it comes off malware and phishing. If they get the accounts, they sell it"

Microsoft's solution was to offer two-factor authentication for XBL users in 2013. And while we still read the occasional report of a compromised account, the problem is largely under control. Meanwhile the scammers are focusing more attention on gaining access to PlayStation Network accounts to continue their trade, as we witness a steady dribble of unauthorized transactions relating to FIFA, NBA 2K16 and, more recently, Neverwinter. It will only decrease when Sony provide two-factor authentication.
 

8bitghost

Member
Sony will be implementing two-factor authentication this week, according to a support worker on Reddit.

Australia and New Zealand starting tomorrow, "other regions should be getting it next week if all goes to plan".

It will work as a SMS service where you will have to input a mobile number on your account and every new login from a PS4 or PC will send a SMS message with a verification code.
 

web01

Member
I think someone was trying to hack my psn account recently.

Firstly I received a random psn message from someone I had never met initiating conversation but pretending to know me.

A day later I receive an email to "mypsnname"@gmail also initiating conversation but in a different way. I have never given this email address to anyone, I don't use it for my psn I only made it to reserve the email name and have messages forwarded to my real email address.

I believe they were trying to phish details about me such as name / location / psn email address so they could initiate a account recovery via contacting sony directly on the phone.

Do not respond to cold contact from randoms especially if they are trying to find out information about you.
I think social engineering is the way many accounts are stolen.
 
Another thing to do is to give nonsense answers to "security questions". In the age of Facebook, it's easy to find out where you were born and what your dog's name is or your favorite band or Mother's maiden name is....

Don't put in real answers!
 
If you can avoid storing sensitive financial info by using pre-paid cards, do so.
It might be worth noting that many companies like Sony create 'pre-approved' payment schemes against your PayPal account when you pay for something. You can log in to PayPal and see all your current pre-approved payment links and cancel them (you'll need to do this after every purchase though!)

Personally I think removing these links is sufficient and buying pre-paid cards doesn't really gain you anything, security wise - and is more hassle.
 

Keihart

Member
i'm thinking on starting to use a password manager, but i don't fell like paying monthly or using one with a cloud system. I just looked at roboform and it seems to be full of holes after some google. Any recomendations? or should i start to keep a notepad with all my passwords?
 

EmiPrime

Member
i'm thinking on starting to use a password manager, but i don't fell like paying monthly or using one with a cloud system. I just looked at roboform and it seems to be full of holes after some google. Any recomendations? or should i start to keep a notepad with all my passwords?

1Password has WiFi syncing (or no syncing at all) if you don't want to use Cloud syncing. They also offer traditional licenses (buy once) as well as subscriptions.
 

Joni

Member
i'm thinking on starting to use a password manager, but i don't fell like paying monthly or using one with a cloud system. I just looked at roboform and it seems to be full of holes after some google. Any recomendations? or should i start to keep a notepad with all my passwords?

KeePass is an offline solution.

this is save to use right lol ?

Yes. It should be mandatory to use.
 

Keihart

Member
1Password has WiFi syncing (or no syncing at all) if you don't want to use Cloud syncing. They also offer traditional licenses (buy once) as well as subscriptions.

I went previously to the site and was putoff by the cloud and monthly stuff, but now i scrolled down to the bottom and saw the license option, that's great. Thanks.

Edit: wow, keepass looks pretty awesome and exactly what i was looking for, and its even free!
 
To have a different email account for all sites is trivially easy - buy a domain, direct all mail to your normal inbox, then sign up to each site with a unique address eg amazon@mydomain.com, mybank@mydomain.com etc.
I did that for a few years, but I was flooded with so much spam that I had to stop. The worst were the ones who'd just flood out hex nonsense like c1d3df24@domain.com, d41de3fdd@domain.com, etc., etc., etc. If someone's emailing things like charlie@domain.com in the hopes of reaching an actual person, I get it, but those others...? I was getting literally thousands of those a day.

If I were doing it all over again, I'd still use different emails for every site, but I'd whitelist addresses instead of allowing everything for that domain to route to my inbox.
 

Kayant

Member
i'm thinking on starting to use a password manager, but i don't fell like paying monthly or using one with a cloud system. I just looked at roboform and it seems to be full of holes after some google. Any recomendations? or should i start to keep a notepad with all my passwords?
Keepass, Enpass, SafeInCloud Password Manager are all free and have offline databases.
 

8bitghost

Member
Here is an alarming Microsoft blog piece from May concerning the millions of leaked Gmail, Yahoo and Hotmail credentials that appeared for sale on a Russian website.

As a lot of you know, a number of articles were published last week about a Russian hacker offering 272.3 million stolen usernames and passwords. ...

When we discover a new list of usernames and passwords, we run them through an automated system that checks to see if any of the credentials match those in our MSA or Azure AD systems by comparing the hashes of the submitted password to the hashed password stored with the actual accounts. ...

For this particular list, 9.62% of the usernames matched an account in our systems. And of those, only 1.03% had a matching password.

So while we had Google playing down the validity of this information, here we find Microsoft essentially confirming the story. For their part, over 3 million user credentials were verified to be genuine by Microsoft and over three-hundred thousand had a matching password.

The named services have triggered automatic password resets for all compromised accounts, so they are now secure, but since people often use the same email and password across multiple websites, what help do third-party services receive that will inevitably be effected by this leak? And why has the press has stopped reporting on this story?

A breakdown of the numbers according to Hold Security:

24m - Gmail
33m - Microsoft Hotmail
40m - Yahoo Mail
57m - Mail.ru

If you (re)use one of the above service emails to log-in to multiple websites (e.g. Amazon, PSN or Steam) I strongly urge you to update your email and password today.
 

Dingens

Member
my wow account got hacked once... after they switched from "user-name-based login" to e-mail address-based login (thanks to them, they also tried to hack my mail account. thanks again blizzard!

(and than they didn't even restore my account because I didn't had an active subscription at that time. never again.)

case and point: I wished companies would let you use an individual login-only nick/word/phrase instead of trying to make it "easy" and "convenient". My login name is usually a password in itself, but thanks to bullshit like the above, that's hardly possible anymore...
 

Capella

Member
Here is an alarming Microsoft blog piece from May concerning the millions of leaked Gmail, Yahoo and Hotmail credentials that appeared for sale on a Russian website.



So while we had Google playing down the validity of this information, here we find Microsoft essentially confirming the story. For their part, over 3 million user credentials were verified to be genuine by Microsoft and over three-hundred thousand had a matching password.

The named services have triggered automatic password resets for all compromised accounts, so they are now secure, but since people often use the same email and password across multiple websites, what help do third-party services receive that will inevitably be effected by this leak? And why has the press has stopped reporting on this story?

A breakdown of the numbers according to Hold Security:

24m - Gmail
33m - Microsoft Hotmail
40m - Yahoo Mail
57m - Mail.ru

If you (re)use one of the above service emails to log-in to multiple websites (e.g. Amazon, PSN or Steam) I strongly urge you to update your email and password today.
I thought Google and the other email services were just saying that their own services hadn't been breached or did more info come out since then? Also, is it known what breach all of these email accounts are from or is it just a compilation from multiple breaches? The media may have stopped talking about it because a lack of new information, and the fact that quite a few large breaches where made public at the end of May which probably overshadowed it.
 

Capella

Member
Epic Games forums where hacked again: https://www.unrealengine.com/news/information-regarding-recent-forum-compromise

We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext. While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere. These forums remain online and no passwords need to be reset.

Also, we believe a compromise of our legacy forums covering Infinity Blade, UDK, previous Unreal Tournament games, and archived Gears of War forums revealed email addresses, salted hashed passwords and other data entered into the forums. If you have been active on these forums since July 2015, we recommend you change your password on any site where you use the same password.

We don’t believe that other Epic related forums were affected, including Paragon, Fortnite, Shadow Complex, and SpyJinx.

We apologize for the inconvenience this causes everyone and we’ll provide updates as we learn more.

This has been one of many vBulletin forum hacks where hackers have been targeting vulnerabilities in older versions that haven't been updated.

More info about what was leaked:
http://www.zdnet.com/article/epic-games-unreal-engine-forums-hacked-in-latest-data-breach/

The hacker acquired usernames, scrambled passwords, email addresses, IP addresses, birthdates, join dates, their full history of posts and comments including private messages, and other user activity data from both sets of forums.
 

8bitghost

Member
I thought Google and the other email services were just saying that their own services hadn't been breached or did more info come out since then?

Google issued a press statement saying the information was mostly hot air. On that basis, Ars Technica wrote a piece (Garbage in, garbage out: Why Ars ignored this week’s massive password breach) minimizing what had taken place.

"More than 98% of the Google account credentials in this research turned out to be bogus," a Google representative wrote in an e-mail. "As we always do in this type of situation, we increased the level of login protection for users that may have been affected." ...

Yahoo Mail and Microsoft Hotmail—which according to Reuters are the providers for 40 million and 33 million of the compromised accounts, respectively—have yet to publicly comment. But their silence speaks for itself.

As we now know, millions more accounts turned out to be genuine.

is it known what breach all of these email accounts are from or is it just a compilation from multiple breaches?

According to Hold Security it was an accumulation of multiple breaches over a period of time.
 

Quasar

Member
my wow account got hacked once... after they switched from "user-name-based login" to e-mail address-based login (thanks to them, they also tried to hack my mail account. thanks again blizzard!

(and than they didn't even restore my account because I didn't had an active subscription at that time. never again.)

case and point: I wished companies would let you use an individual login-only nick/word/phrase instead of trying to make it "easy" and "convenient". My login name is usually a password in itself, but thanks to bullshit like the above, that's hardly possible anymore...

Just have unique email addresses for services.
 
Here is an alarming Microsoft blog piece from May concerning the millions of leaked Gmail, Yahoo and Hotmail credentials that appeared for sale on a Russian website.



So while we had Google playing down the validity of this information, here we find Microsoft essentially confirming the story. For their part, over 3 million user credentials were verified to be genuine by Microsoft and over three-hundred thousand had a matching password.

The named services have triggered automatic password resets for all compromised accounts, so they are now secure, but since people often use the same email and password across multiple websites, what help do third-party services receive that will inevitably be effected by this leak? And why has the press has stopped reporting on this story?

A breakdown of the numbers according to Hold Security:

24m - Gmail
33m - Microsoft Hotmail
40m - Yahoo Mail
57m - Mail.ru

If you (re)use one of the above service emails to log-in to multiple websites (e.g. Amazon, PSN or Steam) I strongly urge you to update your email and password today.

Holy fuck. I thought MS and Google were unhackable
 

Capella

Member
Funcom Forums where hacked http://www.funcom.com/news/data_breach_on_funcom_forums. Another vBulletin forum hacked....

On August 24th, 2016, we discovered that user data associated with forum accounts on TheSecretWorld.com, AgeofConan.com, Anarchy-Online.com and LongestJourney.com have been compromised by a third party.
We regret to inform you that the data breach includes e-mail addresses, user names, and encrypted passwords associated with forum accounts on these forums. Even though passwords were encrypted, these can be cracked and should be considered compromised. It is important to note that forum accounts and game accounts are separate and are stored on different servers using different security systems. Game accounts have not been compromised.
The breach was possible due to a security fault in the vBulletin forum system. This security fault was corrected on our forums on August 19th, 2016, but we are unable to determine exactly when the data breach occurred prior to the fix.
 
Top Bottom