HACKED ACCOUNTS!!!!!
- Thread starter texcross
- Start date
The #1 community for Gun Owners in Texas
Member Benefits:
Fewer Ads! Discuss all aspects of firearm ownership Discuss anti-gun legislation Buy, sell, and trade in the classified section Chat with Local gun shops, ranges, trainers & other businesses Discover free outdoor shooting areas View up to date on firearm-related events Share photos & video with other members ...and so much more!
Member Benefits:
I don't like PayPal's antigun policy but I just didn't get the reason to drop them. They are in my opinion one of the safest and best payment options out there short of using a credit card. Nothing beats a credit card with a max $50 loss. Bought some stuff on GunBroker for my SKS from a guy in Ukraine and PayPal was the way to go.
HKaltwasser
Well-Known
Has HOOTREWPOO been back? Does he even know what's going on?
As far as we can tell, no and no. If anybody knows him offline and wants to let him know that his account on this board has been killed off, it would be interesting to know what he has to say about that.
Not necessarily relevant, but interesting.
Has any one figured out the vulnerability yet.
That's above my pay grade but it seems that the hoothrewpoo account was compromised and as soon as the bad guy realized I had noticed him, he took over my account. There was zero delay and, afaik, no brute forcing a login for either of those two accounts.
Also, the attack was pretty manual. The bad guy was monitoring the board, composing posts, and heading off people who figured out something was wrong in real time. That means he was sitting at his computer, typing away, protecting his scam.
Someone is willing to put in a lot of hours just to break into a board account, do a quick scam, get kicked, and then go into another board. He was on this board for less than 18 hours. Maybe it's a small group doing it but that's pure guessing on my part. It just seems like the bad guy doesn't sleep and doesn't automate the work.
I really don't know what conclusions to draw from all this other than the need for very strong passwords and two factor authentication to any place where I might be spending money or revealing important information.
Wow....crazy stuff. Sorry to everyone impacted by this. 
Either of these is my guess. Reused, compromised password is more likely in my estimation but a vulnerability is a possibility also.
There's been some good advice in password handling & 2FA. For 2FA, the most secure approach is to use a physical key like a YubiKey or FIDO, which is supported here. That's probably overkill for the average user.
The second best 2FA approach is to use an app. I like Authy personally but Microsoft or Google both offer one as well.
SMS/text messages are less secure because it's not terribly hard for your number to be spoofed and 2FA texts to be intercepted. Phone company reps are notoriously bad for compromising their customer's phone numbers like this. That said, sometimes you don't have a choice and this is better than nothing.
To ensure unique, very strong passwords, I use a password manager. There are several like LastPass, 1Password and such. I use BitWarden because it is free and it allows you to host a password vault either in their cloud or on your own personal server.
Chrome, Edge and Apple Key Chain will also generate and store passwords for you. One nice thing about Chrome is that if you store a password in it and the password matches one in a known breach, it will notify you so you can change it.
The idea behind the password manager is that it is secured with one, very strong password that you memorize and don't use anywhere else. Then you store unique passwords for various sites so that no site uses the same password. The password is generated and stored in the vault so you no longer need to remember multiple, strong passwords.
If you do reuse passwords across accounts, I urge you to consider going away from this practice as much as possible, especially for email accounts.
Another good resource for checking if you might have had credentials leaked in larger, known attacks is to go here:
haveibeenpwned.com
If your email shows up in this list, I recommend changing passwords.
The summary (TL;DR):
Either of these is my guess. Reused, compromised password is more likely in my estimation but a vulnerability is a possibility also.
There's been some good advice in password handling & 2FA. For 2FA, the most secure approach is to use a physical key like a YubiKey or FIDO, which is supported here. That's probably overkill for the average user.
The second best 2FA approach is to use an app. I like Authy personally but Microsoft or Google both offer one as well.
SMS/text messages are less secure because it's not terribly hard for your number to be spoofed and 2FA texts to be intercepted. Phone company reps are notoriously bad for compromising their customer's phone numbers like this. That said, sometimes you don't have a choice and this is better than nothing.
To ensure unique, very strong passwords, I use a password manager. There are several like LastPass, 1Password and such. I use BitWarden because it is free and it allows you to host a password vault either in their cloud or on your own personal server.
Chrome, Edge and Apple Key Chain will also generate and store passwords for you. One nice thing about Chrome is that if you store a password in it and the password matches one in a known breach, it will notify you so you can change it.
The idea behind the password manager is that it is secured with one, very strong password that you memorize and don't use anywhere else. Then you store unique passwords for various sites so that no site uses the same password. The password is generated and stored in the vault so you no longer need to remember multiple, strong passwords.
If you do reuse passwords across accounts, I urge you to consider going away from this practice as much as possible, especially for email accounts.
Another good resource for checking if you might have had credentials leaked in larger, known attacks is to go here:
Have I Been Pwned: Check if your email has been compromised in a data breach
Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.
If your email shows up in this list, I recommend changing passwords.
The summary (TL;DR):
- Use unique, strong passwords through a password manager
- Turn on 2FA (two factor authentication) and use an app like Authy
- Check https://haveibeenpwned.com/ to see if your existing credentials have been compromised
Wow....crazy stuff. Sorry to everyone impacted by this.
Either of these is my guess. Reused, compromised password is more likely in my estimation but a vulnerability is a possibility also.
There's been some good advice in password handling & 2FA. For 2FA, the most secure approach is to use a physical key like a YubiKey or FIDO, which is supported here. That's probably overkill for the average user.
The second best 2FA approach is to use an app. I like Authy personally but Microsoft or Google both offer one as well.
SMS/text messages are less secure because it's not terribly hard for your number to be spoofed and 2FA texts to be intercepted. Phone company reps are notoriously bad for compromising their customer's phone numbers like this. That said, sometimes you don't have a choice and this is better than nothing.
To ensure unique, very strong passwords, I use a password manager. There are several like LastPass, 1Password and such. I use BitWarden because it is free and it allows you to host a password vault either in their cloud or on your own personal server.
Chrome, Edge and Apple Key Chain will also generate and store passwords for you. One nice thing about Chrome is that if you store a password in it and the password matches one in a known breach, it will notify you so you can change it.
The idea behind the password manager is that it is secured with one, very strong password that you memorize and don't use anywhere else. Then you store unique passwords for various sites so that no site uses the same password. The password is generated and stored in the vault so you no longer need to remember multiple, strong passwords.
If you do reuse passwords across accounts, I urge you to consider going away from this practice as much as possible, especially for email accounts.
Another good resource for checking if you might have had credentials leaked in larger, known attacks is to go here:
Have I Been Pwned: Check if your email has been compromised in a data breach
Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.
If your email shows up in this list, I recommend changing passwords.
The summary (TL;DR):
- Use unique, strong passwords through a password manager
- Turn on 2FA (two factor authentication) and use an app like Authy
- Check https://haveibeenpwned.com/ to see if your existing credentials have been compromised
I agree with everything except password managers. I'm not a huge fan of PW managers and at Dell if you're caught using one they fire you because someone in engineering one time was using one and the program was compromised and a lot of crap got leaked.
Researchers Find Security Vulnerabilities In Some of The Top Password Managers
While password managers are meant to protect users’ credentials and underlying sensitive data, they do not necessarily warrant fool-proof security. Researchers have recently disclosed the existence of numerous vulnerabilities in some of the top password
latesthackingnews.com
How do the Dell people keep track with passwords? Sticky notes? Seriously.I agree with everything except password managers. I'm not a huge fan of PW managers and at Dell if you're caught using one they fire you because someone in engineering one time was using one and the program was compromised and a lot of crap got leaked.
Researchers Find Security Vulnerabilities In Some of The Top Password Managers
While password managers are meant to protect users’ credentials and underlying sensitive data, they do not necessarily warrant fool-proof security. Researchers have recently disclosed the existence of numerous vulnerabilities in some of the top password
I agree with everything except password managers. I'm not a huge fan of PW managers and at Dell if you're caught using one they fire you because someone in engineering one time was using one and the program was compromised and a lot of crap got leaked.
Researchers Find Security Vulnerabilities In Some of The Top Password Managers
While password managers are meant to protect users’ credentials and underlying sensitive data, they do not necessarily warrant fool-proof security. Researchers have recently disclosed the existence of numerous vulnerabilities in some of the top password
There's a risk but better than reusing passwords IMO. Having multifactor setup on the manager itself and a strong password will go a long way toward securing it. My company doesn't allow third party managers either but for me, good enough for personal use. I think it's a reasonable risk trade off.
This is a good call out though and supports the multilayer approach for having 2FA. Physical security (YubiKey) is best but, again, untenable for many.
As an aside, one of the nice things about Bit Warden is you don't have to use their cloud offering for your vault, you can run your own.
You have to change your password every 90 days for every single sign on we have. We also own RSA (well we did until we sold them last year) so you can't even sign on without that 2FA and you have a unique RSA key.
If you can't remember your password you can request to have it changed through IT but it's an ordeal.
Similar here but we changed to MS Authenticator on our company issued phones that are also password protected by policy. Funny thing about 90 day password changes. Most people choose a password with a number and then just cycle through 0 thru 9 to bypass the typical - cannot use any of your last 3 passwords.
A little bit easier to unlock your account at my company assuming you setup your challenge questions. At least they removed some possible questions that someone might Google and find about you such as high school name, city you were born, mother's maiden name, etc. If you cannot unlock via challenge questions then they must call your manager to approve unlocking the account and/or performing a password reset.
Our company switched to using Google Authenticator a little over a year ago. Everyone is expected to use their smartphone to install it on.
Only had one person who was hired as a freelancer for a couple of weeks. He didn't own a smartphone, so he couldn't login and work.
Staff online
-
VaqueroMoving stuff to the gas prices thread.....
Members online
- steve_blake
- Wataman
- Coonan357
- Dred
- Nick!
- roadkill
- dsgrey
- Vaquero
- brashears9567
- no2gates
- Noggin
- Johnny Diamond
- 1911'S 4 Me
- Otto_Mation
- lonestardiver
- A.Texas.Yankee
- Bigguy
- Darkpriest667
- platoon2063
- striker55
- red442joe
- kbaxter60
- GunZoneDeals.Com
- Big Dipper
- Charley
- GaryS
- smittyb
- Texasgordo
- jaspaq13
- BRD@66
- Bob1911
- jlw
- Younggun
- para_bellum
- justmax
- Odiferous
- El Coyote
- texdot
- ZX9RCAM
- Chuckcasey
- Wiliamr
- AlteisenMkII
- deemus
- JC1
- ETH77
- paknheat
- Coon
- Army 1911
- BuzzinSATX
- Coop's Dad
