> I am well aware [old password I think I swapped out everywhere, but definitely in all important places, when I started to use random keepass pws two years ago] is your pass words. Lets get straight to the point. None has compensated me to check about you. You don't know me and you're most likely wondering why you are getting this e-mail?
He continues to tell me my computer was hacked using that password, he downloaded my contacts, recorded me watching porn and now threatens me to send that video to all my contacts. Of course unless I send him bitcoins for about $1000 to 1EiJMyvw2NP6T6vyWQ81HgUfBUVT1mqZkM
I got multiple of these emails in my spam folder since December. The password comes most likely from the Heroes of Newerth leak back in 2014!
It's obviously a scam no one should respond to, but I'm sure there is a large enough number of people that get intimidated enough and are actually buying and sending bitcoins. This is a real threat these collections create. To be honest I feel uneasy about this email though I'm 100% sure this password is not used for anything important since about two years ago. I can't imagine how someone with a current password and no security/compsci knowledge at all would feel.
I unfortunately deleted all but the last of this emails, so I wonder if he reuses the same bitcoin address and it can be easily blacklisted by authorities. If he is smart he generates a different address for every single email.
This would be a nightmare for basically anyone.
Boy do those nervous ticks appear obvious at 2x. By the end you just want to scream out to yourself “stop touching your ear!”.
Edit: We each brought in our own VHS tape (this was 2010-2011) on presentation day and https://www.svcc.edu/employees/directory/pa-fulfs/index.html would swap them in/out for each speech. Good memories... :)
I've had 3 web clients contact me that received these. One called the local police, and an IT guy, two bought new computers, and one I never hard back from.
The bitcoin address is different: 1ELzee2T9Wd5YPTYhWbWD3xK7xB5tJ94J4
Looks like the scam worked a couple times so far:
So I can confirm that scammers seem to leverage password dumps that way. It's quite clever I suppose, if I used the same password everywhere (as many people seem to do) I'd definitely be worried.
(oh, and also myspace, some identities are just meant to be stolen I guess...)
Makes me think I need a better strategy on the username side to not leak that info.
- if they start sending you spam you can severe their capacity to contact you by deleting the alias
- if they give your contact to a third party, you know from the alias who leaked your email address
- if you see an email on a data breach like this one, you know immediately which website got hacked
- it makes it really hard to correlate your identity across two websites
Even if the dictionary and patterns are known by an attacker, this still has very good entropy on ~16 characters long sentences. For usernames you can easily just go down to the minimum (around 6-10).
I find this superior to random values in a lot of places as it's easily readable and it's also easily typeable, when copy-paste doesn't work.
How does that follow? It still adds value to use aliases that identify the site where they're used, because then you don't need to do a hashtable lookup to see where your mail is coming from.
What I and many others do is reuse not a password, but reuse a password formula (in my case with slight but easily memorable variations depending on importance, or if forced by stupid password rules). If you saw a dozen of my email/password combinations in the clear you would be able to reverse engineer the rules and then guess combinations for arbitrary sites almost as good as me. It's a calculated risk, just like trusting a password manager is a calculated risk. Right now I consider password managers the better trade-off, but still only slightly better, by a margin small enough to make it not worthwhile to invest in a habit change. If the "formula" I happen to use was just a little harder to reverse engineer than it sadly is I would consider it strictly safer than password managers.
What a damning position to be in, in 2019.
As with other scams that can be initiated at scale, you don't need a 50% conversion rate. 0.01% probably suits just fine.
As an embellishment by the trolls, it would probably move any authority figures from a position of "let's figure out who got this dumb kid mixed up in these terrible things" to stony indifference and something closer to "serves him right." It also alienates him from his family so he has nobody in his corner any more.
Consider your own reaction as a viewer. Think about the other person who was involved in the last task of the episode. Did you feel any sympathy for him?
I remember specifically thinking "well, embarrassing sure, but everybody does it, oh well"
Why rob a bank just for some embarrassment?
Interestingly, the dollar amount of the attempted extortion has gone up more or less monotonically throughout; the first ones I got were looking for something like $200.
Buying bitcoin is actually pretty easy and they help you figure it out in the email as I already commented here https://news.ycombinator.com/item?id=18939713
> Some players in the booming underworld employ graphic artists, call centers and technical support to streamline payment and data recovery, according to security firms that advise businesses on hacking threats.
I find it difficult to reconcile someone tech savey enough to use bitcoin falling for a scam of this nature.
On the otherhand, it might explain a lot about the crypto space!
> You will make the payment by Bitcoin (if you do not know this, search 'how to buy bitcoin' in Google).
The top result is from coinbase . I would say everyone capable of online banking is capable of following these steps.
It’s as easy to assume that a world in which crypto is a trusted, common method of value transfer benefits them if they’re a leader in that space.
1) I don't think it's one person, I've received multiple of these with different wording. At the least I think there are a bunch of copycats out there.
2) I received an initial batch of six to a few different mail addresses, and across about six different emails there was one bitcoin address used in four of them. I took a look on blockchain.info and a couple of payments of about the asked amount had gone through it in the previous few days.
What bugs me is that this is actual, criminal extortion on a large scale. Where are law enforcement?
It's clear that someone has made a business model out of this, and it doesn't matter what the password is actually from. For people that don't use unique passwords, they can't say if there is anything behind the threat.
Remember to always use unique passwords for every site!
They all talk about having access to my computer, a recording of me watching porn, and threaten to send it to my contacts unless I send 700-850 USD to a Bitcoin address. The payment amounts and Bitcoin address is different in each of the emails.
The subject of the email was a previous password I've used and they sent it "from my domain" (not really my domain, you know how it is).
Interestingly, I also did play heroes of newerth so I guess that you're right on that notion.
Another fun fact, each time my password was mentioned, it was missing the first letter.
I get an old password in these kinds of emails that has been stripped of case, the capitalization I used is not what what I received. Still, the first was was attention grabbing, even if I've long moved on from that password to a password manager with a randomly generated password for each site.
I know best practice is to immediately change your password regardless, but with the increasing frequency of these kinds of breaches and the reuse and recombination of old lists, how long will it be before emails from leak notification sites like haveibeenpwned start becoming so frequent that people start ignoring them? I am already more guilty of that than I'd like to admit, even though I should know better.
I know there are various places you can check a given password against known leak lists, but it makes me really uncomfortable typing my password into anyplace which is not a password manager or the site it's used for - enough that I want to change it afterwards anyway.
I already hear the arguments that none of this matters if you follow best practices, which are not wrong, but I've always gone with the option which is as secure as possible without being overly burdensome, and I'm sure I'm not the only one.
You get a list of corresponding hash suffixes and check if yours is there.
Edit: This site was made with Beaker Browser (https://beakerbrowser.com), which is rad, and you should check it out. Feel free to download / fork this site.
The way I use to recognize which service has been compromised is using unique email addresses. Most providers let you do either a catchall address, or email@example.com, meaning you should have a firstname.lastname@example.org for your Hacker News user account. Makes both knowing which services has been hacked easy, but also who sells your contact information to spammers easy! :)
Edit: actually, using random passwords from a manager, you should be able to identify it through https://haveibeenpwned.com/Passwords
One of my co-workers ended up getting revealed this way to his then-wife; it wasn’t really a happy marriage up to that point but that was the last straw.
Haveibeenpwned has since gated access to the reports which is good....
With password managers that's also way easier than managing a lot of email accounts.
There are very few scenarios where your (high entropy) password would be compromised in a way that wouldn't also lead to the discovery of at least 1 functional 2FA code.
1) Website is breached. If they can get the account password hashes, chances are they're going to get the TOTP seeds as well.
2) You're phished. Your attacker passes through your credentials (scraping the password along the way), and they get a functional session token. With most services, you can turn off 2FA just by reconfirming the account password.
3) Your password manager is breached. 'nuff said.
The push behind 2FA isn't so much because high entropy passwords are vulnerable (except in a phishing context, but there TOTP is equally vulnerable) -- the momentum behind 2FA is because we can't convince people to stop using '123456' as a password.
Would be curious to learn more about how it happened, to see if there are any learnings for myself to improve operational security.
I'm not familiar with Windows; is there anything in the screenshot to suggest its torbrowser or anything like that?
Presumably the miscreant's ISP and e.g. the Russian government can guess real easy whom generated that screenshot...?
Of course what they'd do with that info is anyone's guess. It could well not be an offence to sell collections of passwords, if in deed its even an offence to hack those passwords in the first place.
I don't think it's from the seller - looks like it was taken by the author of this article.
I see the mega.nz handle "Louren KINGUR" with avatar, and the same person's Google account avatar with no username. I did an image search on this latter one and came up empty handed, but maybe someone with more finesse could find him this way.
edit - just fyi, Bitwarden responded on github last month with a plan to add some testing, and I think some of their code does use automated testing. They have issues on GitHub tracking it :)
1password has a rock solid UX that looks pretty. Bitwarden is more practical imo. I prefer the latter these days. Guessing the 1password iOS app is probably better than what Bitwarden offers, but I don't know, because I use an Android phone, and I prefer Bitwarden on Android.
I'm only nervous about Bitwarden because of the lack of automated testing. Apparently at least one closed-source one apparently does not test either, possibly <edit: my memory is too fuzzy to name anything> but please don't quote me on that since my memory is fuzzy.
See my note above about Bitwarden adding tests though
Syncing is also a thing I prefer 1password and Bitwarden for. They both have cloud syncing by default. Some won't want that but I definitely do.
You CAN make mistakes with KeePass. You pretty much can’t make mistakes with a service.
I’ve set about 100 people up on LastPass including my mom. I recommend it as a very good thing normal people will actually use.
That's why I recommend LastPass.
Turns out it wasn't the email I used on Myspace.
Also, is Myspace back? Somehow my profile and pictures are on there again, but I thought they removed personal profiles years ago?
Posteo.de recycles deleted email addresses/aliases in three months. Fastmail is also similar and recycles them within three months or so. Same goes for Mailbox.org. All these paid services are pathetic in this regard.
Runbox.com (which I don’t use) is the only paid email service that clearly states that it never ever recycles email addresses, just like Gmail and Yahoo Mail don’t do either.
I’d like to know about privacy focused paid email services that have a clear policy of not recycling addresses.
Of course, as a reminder: This means you have to keep your custom domain, or else someone can register it after it expires and make any emails they want on it. But if you have a domain personal to you that you've used as part of your email address, you should probably keep it forever anyways.
I noticed that they don't have any usb-c + NFC options.
"Can I use Solo for OpenGPG or Ssh? Not yet
Can I use Solo to store passwords? Not yet."
Google's programme aimed at high risk people (e.g. journalists covering government corruption) specifically aims to leave you in a position where so long as you have control over the physical devices your secrets are safe, and if the devices are destroyed then your account is irrevocably lost and too bad. Doing that with just one key is asking for trouble.
If you're just dipping your toe in the water, buying one key and having your plan B be a bunch of one time codes written in the back of a diary in your locked desk drawer makes sense, and if you're mostly just interested in the cool technology and not worried about security then going to a Key with Google Authenticator as plan B is fine too.
But if you want this to solve all your problems as advertised, buy two keys.
It's pretty different from authenticator apps, it can be much more convenient (no trying to quickly type in six digit numbers) but it's kinda expensive for now.
Ordinary Security Keys only know how to do exactly one thing, prove that they're still the same Security Key that they were the last time. They can't even prove which one they are in particular (most can prove which model they are, because a bank or something might be like "Ooh, we like this technology but we insist you use Bank of America brand Keys..." but they don't even know like a "serial number" or anything). This is deliberate - it allows the strongest possible privacy guarantees while still delivering a useful security function. The Firefox implementation lets you pick "No" when sites ask which model it is - I always do, none of their bloody business, it's a Security Key, eat it.
When you "enroll" a Key the site gets back a "cookie" (not an HTTP cookie) that is only useful to identify that site to that Security Key; a Elliptic Curve public key; and a signature proving the Key knows the corresponding private key and was enrolling with this specific web site. The site puts those somewhere (presumably a database table) ready to use them when you log in subsequently.
When you need to log in, the site gets its list of all the keys you've enrolled and says "OK, here are the cookies for some keys you enrolled, prove you still have one". If you have one of these keys it can find its cookie among the set, and it knows the private key that goes with that cookie, so it can sign a new message saying "Hi, this is still me, signing in to $domain right $now" and the site verifies that with the public key.
In principle the Security Key could be keeping a big database of every site it has enrolled with and the cookies used versus private keys. In practice what it does is make a random new private key each time it enrolls, encrypt the private key and put the result in the cookie. Only it knows how to decrypt the cookie, so there's no danger from this approach.
This should be standard practice taught to kids in school! Especially considering their whole life is digital now.
I saw that Linux's full disk encryption supports Yubikey as well as Gnome login screens which is neat.
Correction: Looks like YK is saying iOS does support YK as MFA via NFC
I think it is a reasonable position not to pay for these files, if the money is just going to encourage the creation of more of them.
He describes the security measures behind the process here:
Of course, it all still boils down to how much you trust the guy, the approach, etc etc.
The consumer facing feature is entering your email address.
Always go directly to the site using your bookmarks or typing it in, or at least remember to check the url before you click it.
I'm abundantly positive there's still a lot of perfectly valid login credentials in there, but the trick is finding them without also triggering rate limiting detection now.
My point is that the market value has been lost because there actually is some churn in passwords and accounts. If 99% of the credentials in this hack still worked, it would not be getting sold at this price at all; it would be selling something worth tens or hundreds of thousands, if not millions to the right buyer, for You Pay Only $44.99. Not gonna happen. It can't be worth all that much to most buyers if that's all they're selling it for.
Or it's just so widespread that it's worthless, although I'd suggest in that case that we'd have heard about it earlier. Have I Been Pwned actually has some hookups in that world.
They should call it "Amazon Subprime".
Along with the traditional diet and exercise spiel that lasts a month, only 12 days left on most of my new years resolutions!
Having a 20 character password in a vault and 2FA is a great piece of mind now. I don't even have to bother looking into it.