This Site Has Been Hacked

[Bg260]

I'm pretty sure this is how the world will end. Not identity theft, but the ensuing panic.

 

[Phoenix777]

My Identity Protection service just notified me that my exact password and email address from this site has been published.
I've changed mine. So this is not a question, just information for you.

Edit from staff: We have found this report to be simply new alerts from a 4 year old breach. More info, here.

I don't get it. Why would someone want to hack someone's password to an Android forum? Just so they can post under someone else's name? Why? It's not like this site is a personal information-sensitive site such as PayPal or online banking, etc.

 

[Bg260]

I don't get it. Why would someone want to hack someone's password to an Android forum? Just so they can post under someone else's name? Why? It's not like this site is a personal information-sensitive site such as PayPal or online banking, etc.

Many use the same email password for everything.

 

[Unforgiven]

Many use the same email password for everything.

 

[Phoenix777]

Many use the same email password for everything.

Ah! Not good.

LOL

 

[Phases]

I don't get it. Why would someone want to hack someone's password to an Android forum? Just so they can post under someone else's name? Why? It's not like this site is a personal information-sensitive site such as PayPal or online banking, etc.

I would assume rarely does someone steal site's like this' user databases for info found on that particular site or to log in as them. It is because for so, so many people (as mentioned above) - they use the same password multiple places. A big problem in particular - the odds that many people use their AF password on the email account they have associated with their account here. Or use that email and password for, say, paypal. Or have a paypal account and reference it in posts - and now you have their email address (account name) for Paypal. That's half the battle to get in.

Breaches like this don't typically give away passwords, only the hashed values, but in some cases rainbow tables can be used to resolve the easier, less complex passwords. (Assume with 1 million users, of the ones with paypal accounts that use the same email address as here - some percent, even just 1 percent, have a simple password that can be resolved.). Salted passwords, which are used here, make that extremely difficult. A good read on that, well, you can find a good read on that many places, it's a well known and highly used method these days, but a quick search pulls this up: http://security.stackexchange.com/questions/17421/how-to-store-salt ..the top answer is good.

Also, just having a database of over a million email addresses - tens or hundreds of thousands that can be shown by looking at other info (like post count) to likely not be burner of fake (for spam accounts for example).... there is value in lists of email addresses.

There's more value in lists of email addresses from a known location. Imagine sending 100k emails out saying "hey $user, it's androidforums! We're doing some audit, please click here and log in to prove you still want to keep your account otherwise we'll delete it".

(We'd never send that out, and it'd likely be fairly easy to spot that it is a fake email, but what if 1% fell for it. Then they WOULD have the plain text password that goes with 1000 emails and usernames. You see where I'm going with this..)

Sometimes it can be to tarnish reputations.

Sometimes it's boredom.

I'll bet there are instances where the supposed reason is to help make the internet a better place - forcing sites to cross their t's, dot their i's, and be more careful about patching published (or not) vulnerabilities and better protect their information. Or because members deserve to be exposed for being members. Blackmail, public shaming. (Ashley Madison).

Anyway. There are many reasons. None of which are good.

 

[Phoenix777]

I would assume rarely does someone steal site's like this' user databases for info found on that particular site or to log in as them. It is because for so, so many people (as mentioned above) - they use the same password multiple places. A big problem in particular - the odds that many people use their AF password on the email account they have associated with their account here. Or use that email and password for, say, paypal. Or have a paypal account and reference it in posts - and now you have their email address (account name) for Paypal. That's half the battle to get in.

Breaches like this don't typically give away passwords, only the hashed values, but in some cases rainbow tables can be used to resolve the easier, less complex passwords. (Assume with 1 million users, of the ones with paypal accounts that use the same email address as here - some percent, even just 1 percent, have a simple password that can be resolved.). Salted passwords, which are used here, make that extremely difficult. A good read on that, well, you can find a good read on that many places, it's a well known and highly used method these days, but a quick search pulls this up: http://security.stackexchange.com/questions/17421/how-to-store-salt ..the top answer is good.

Also, just having a database of over a million email addresses - tens or hundreds of thousands that can be shown by looking at other info (like post count) to likely not be burner of fake (for spam accounts for example).... there is value in lists of email addresses.

There's more value in lists of email addresses from a known location. Imagine sending 100k emails out saying "hey $user, it's androidforums! We're doing some audit, please click here and log in to prove you still want to keep your account otherwise we'll delete it".

(We'd never send that out, and it'd likely be fairly easy to spot that it is a fake email, but what if 1% fell for it. Then they WOULD have the plain text password that goes with 1000 emails and usernames. You see where I'm going with this..)

Sometimes it can be to tarnish reputations.

Sometimes it's boredom.

I'll bet there are instances where the supposed reason is to help make the internet a better place - forcing sites to cross their t's, dot their i's, and be more careful about patching published (or not) vulnerabilities and better protect their information. Or because members deserve to be exposed for being members. Blackmail, public shaming. (Ashley Madison).

Anyway. There are many reasons. None of which are good.

I finally see you posting live! lol Thanks for the informative post. And nice to finally meet you. Just wanna say - very quickly and briefly because it's off topic here...thanks for this amazing forum. Great job! Kudos to you and your team

 

[Phases]

Sure thing, thanks! I do need to be more active, I admit!

 

[Ilmbg]

I just came across this thread. If a person (me) does not use a credit card in any form online- either in email, texting, Paypal, banking online, order from any store online, why would there be any real threat if hacked? I do not put my real birthday , address on any forum info, don't email any personal that I am aware of online. I would never put my social security number, bank account. If someone wants to know that I have emailed/texted someone that it is snowing heavy, do they want to come with us cross country skiing, does that cause a
risk?? I am afraid I have gone back a long time ago to simple old fashion ways. I am very curious.

 

[Bg260]

I just came across this thread. If a person (me) does not use a credit card in any form online- either in email, texting, Paypal, banking online, order from any store online, why would there be any real threat if hacked? I do not put my real birthday , address on any forum info, don't email any personal that I am aware of online. I would never put my social security number, bank account. If someone wants to know that I have emailed/texted someone that it is snowing heavy, do they want to come with us cross country skiing, does that cause a
risk?? I am afraid I have gone back a long time ago to simple old fashion ways. I am very curious.

As was mentioned above. There are many that use the same password across many platforms. IE, their Email password is the same as their banking password, desktop password, Sears card, etc.