Recent dump of eMail data

Here you can discuss every aspect of Debian. Note: not for support requests!

Recent dump of eMail data

Postby mike acker » 2019-02-04 23:30

thoughts regarding the so called "megabreach" -- as reported by Krebs et al
Krebs/Megabreach

Thoughts:

Users may have used eMail addresses as User_ID on some websites. And, in many cases, such web sites will offer help: If you "forgot your password": they send you a new one -- to your eMail address.

obviously, if your eMail password is compromised -- an attacker could then log into your eMail -- and recover the new password to <whatever>.

I really don't know how serious this risk is but I changed some passwords anyway, as a precaution.

I had received a phishing e/mail "from me" and "to me" -- an extortion,.... the message was poorly done, an obvious bluff. Here, most of us will be aware that the from address on an eMail can easily be spoofed: creating a "from me" "to me" eMail doesn't mean then actual sender accessed the "from me" account. Still, in view of the recent reports of stolen eMail addresses and passwords -- I made the changes, anyway.

thoughts, anyone?
Viva la Resistencia
User avatar
mike acker
 
Posts: 90
Joined: 2017-06-28 21:23

Re: Recent dump of eMail data

Postby bw123 » 2019-02-06 13:21

Even with a password, email is neither private nor secure?
User avatar
bw123
 
Posts: 3787
Joined: 2011-05-09 06:02

Re: Recent dump of eMail data

Postby Head_on_a_Stick » 2019-02-06 18:59

mike acker wrote:thoughts, anyone?

Enable two-factor authentication.
User avatar
Head_on_a_Stick
 
Posts: 8900
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Recent dump of eMail data

Postby GarryRicketson » 2019-02-06 21:23

Users may have used eMail addresses as User_ID on some websites.

I think any one dumb enough to use their e-mail address as a username, (user_ID), deserves the consequences.
On another forum, we do them a favour and admins change the username to a non e-mail address.
User avatar
GarryRicketson
 
Posts: 5300
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Recent dump of eMail data

Postby pcalvert » 2019-02-06 22:37

Unfortunately, some websites don't ask you to choose a username -- they automatically use your e-mail address.

Phil
“Property is the fruit of labor; property is desirable; it is a positive good
in the world. That some should be rich shows that others may become
rich, and hence is just encouragement to industry and enterprise.”
— Abraham Lincoln
pcalvert
 
Posts: 1819
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: Recent dump of eMail data

Postby GarryRicketson » 2019-02-07 00:56

I don't recall ever seeing that on any sites I visited and registered to, but if I did I certainly would not use my real e-mail address, I suppose , if it was essential I might get one of those disposable e-mails, so I could get registered, but more then likely I would simply just not use or register to any website like that.
I think that most of the kind of websites that do something like that , also are involved in selling the data they collect. Who knows ? I also think that maybe I don't see the point of this topic, here on Debian User Forums, I know , it is general discussion:
General Discussion
Here you can discuss every aspect of Debian. Note: not for support requests!

But I fail to see how this is a "aspect of Debian", or how it relates to Debian at all, besides the fact that most people that use Debian , probably use e-mail as well, but any way, what ever,
thoughts, anyone?

My thoughts are it is just another topic where I will need to watch for any spam that might get posted, on a side not, I was not impressed with the "blog" at Krebs/Megabreach either, not the sort of site I am interested in. I could go on, and tell about some more thoughts, but people would probably get mad and claim I am rude,etc,... so that's all folks !
User avatar
GarryRicketson
 
Posts: 5300
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Recent dump of eMail data

Postby mike acker » 2019-02-07 19:26

Head_on_a_Stick wrote:
mike acker wrote:thoughts, anyone?

Enable two-factor authentication.


thanks
i've been thinking the same: 2FA is probably a good plan.
Viva la Resistencia
User avatar
mike acker
 
Posts: 90
Joined: 2017-06-28 21:23

Re: Recent dump of eMail data

Postby bw123 » 2019-02-07 20:06

Since the servers have already been breached to obtain the passwords, how would 2fa keep them from breaching or faking the 2fa auth code? Would they not already possibly have that data? I chose not to use it so far, because all it does is keep me from signing on with a different device, then all I need is a pw to say, "yeah it was me." So what kind of security is that?
Last edited by bw123 on 2019-02-07 20:16, edited 1 time in total.
User avatar
bw123
 
Posts: 3787
Joined: 2011-05-09 06:02

Re: Recent dump of eMail data

Postby Head_on_a_Stick » 2019-02-07 20:16

bw123 wrote:Would they not already possibly have that data?

Only if they had your mobile phone ;)

The authentication codes are freshly generated each time.
User avatar
Head_on_a_Stick
 
Posts: 8900
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Recent dump of eMail data

Postby bw123 » 2019-02-07 20:20

Head_on_a_Stick wrote:
bw123 wrote:Would they not already possibly have that data?

Only if they had your mobile phone ;)

The authentication codes are freshly generated each time.


Yeah, they are generated from code on a server that has been breached. It's like shutting the stall door after the horse is out of the barn and in the neighbors orchard.

Anyway, 2fa still doesn't make email private or secure, every system between you and a mail server can copy the packets sent, it's a network. Also, the server themselves are obviously not secure, they have employees with access.

It's just my opinion, but a lot of the "hacks" reported really don;t seem to be hackers. It's just people with a thumb drive half the time. The media calls it a hack to make it sound sexy, but it's probably just dumb people doing something for money.

What do we expect from "free" email anyway?
User avatar
bw123
 
Posts: 3787
Joined: 2011-05-09 06:02

Re: Recent dump of eMail data

Postby Head_on_a_Stick » 2019-02-07 20:55

bw123 wrote:Yeah, they are generated from code on a server that has been breached. It's like shutting the stall door after the horse is out of the barn and in the neighbors orchard.

Well I would hope that any breaches would be temporary in nature but you do raise some good points, thanks for that.
User avatar
Head_on_a_Stick
 
Posts: 8900
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Recent dump of eMail data

Postby mike acker » 2019-02-08 14:42

Head_on_a_Stick wrote:
bw123 wrote:Would they not already possibly have that data?

Only if they had your mobile phone ;)

The authentication codes are freshly generated each time.


interesting discussion here

that the attacker has your mobil/cell number should be assumed. intercepting the call is a little more difficult -- i think a sim card swap is needed to do it -- i.e. i have to have a "burner" phone that i put a sim card in with your phone number and carrier ID

from what i've read this is not impossible. still the objective is to be tough enough to discourage the attack and cause the hacker to look elsewhere for an easier target

i think the 2FA idea could help

these problems always lead back to the same question: how do we authenticate identification in a digital world, -- particularly a digital world in which most if not all of our traditional PII has long since be compromised, and sold

i think most of us on a forum here will realize the PGP/GnuPG could solve this. at the same time we realize that commercial interests detest the idea as they will see it as overly complex "for most users". That may be a specious argument for some: their real concern being that the PGP/GnuPG method would succeed.

as I see it while the PGP/GnuPG solution has already been developed I don't see much prospect for general adoption of that method. which is unfortunate: mathematics aside the need to verify the identity of references has always existed -- and always will exist. It's a chore, no doubt, but the chores which result from neglect are vastly more onerous.
Viva la Resistencia
User avatar
mike acker
 
Posts: 90
Joined: 2017-06-28 21:23


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 5 guests

fashionable