Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Recent dump of eMail data

Here you can discuss every aspect of Debian. Note: not for support requests!
Post Reply
Message
Author
User avatar
mike acker
Posts: 131
Joined: 2017-06-28 21:23

Recent dump of eMail data

#1 Post by mike acker »

thoughts regarding the so called "megabreach" -- as reported by Krebs et al
Krebs/Megabreach

Thoughts:

Users may have used eMail addresses as User_ID on some websites. And, in many cases, such web sites will offer help: If you "forgot your password": they send you a new one -- to your eMail address.

obviously, if your eMail password is compromised -- an attacker could then log into your eMail -- and recover the new password to <whatever>.

I really don't know how serious this risk is but I changed some passwords anyway, as a precaution.

I had received a phishing e/mail "from me" and "to me" -- an extortion,.... the message was poorly done, an obvious bluff. Here, most of us will be aware that the from address on an eMail can easily be spoofed: creating a "from me" "to me" eMail doesn't mean then actual sender accessed the "from me" account. Still, in view of the recent reports of stolen eMail addresses and passwords -- I made the changes, anyway.

thoughts, anyone?
Viva la Resistencia

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Recent dump of eMail data

#2 Post by bw123 »

Even with a password, email is neither private nor secure?
resigned by AI ChatGPT

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Recent dump of eMail data

#3 Post by Head_on_a_Stick »

mike acker wrote:thoughts, anyone?
Enable two-factor authentication.
deadbang

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Recent dump of eMail data

#4 Post by GarryRicketson »

Users may have used eMail addresses as User_ID on some websites.
I think any one dumb enough to use their e-mail address as a username, (user_ID), deserves the consequences.
On another forum, we do them a favour and admins change the username to a non e-mail address.

pcalvert
Posts: 1939
Joined: 2006-04-21 11:19
Location: Sol Sector
Has thanked: 1 time
Been thanked: 2 times

Re: Recent dump of eMail data

#5 Post by pcalvert »

Unfortunately, some websites don't ask you to choose a username -- they automatically use your e-mail address.

Phil
Freespoke is a new search engine that respects user privacy and does not engage in censorship.

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Recent dump of eMail data

#6 Post by GarryRicketson »

I don't recall ever seeing that on any sites I visited and registered to, but if I did I certainly would not use my real e-mail address, I suppose , if it was essential I might get one of those disposable e-mails, so I could get registered, but more then likely I would simply just not use or register to any website like that.
I think that most of the kind of websites that do something like that , also are involved in selling the data they collect. Who knows ? I also think that maybe I don't see the point of this topic, here on Debian User Forums, I know , it is general discussion:
General Discussion
Here you can discuss every aspect of Debian. Note: not for support requests!
But I fail to see how this is a "aspect of Debian", or how it relates to Debian at all, besides the fact that most people that use Debian , probably use e-mail as well, but any way, what ever,
thoughts, anyone?
My thoughts are it is just another topic where I will need to watch for any spam that might get posted, on a side not, I was not impressed with the "blog" at Krebs/Megabreach either, not the sort of site I am interested in. I could go on, and tell about some more thoughts, but people would probably get mad and claim I am rude,etc,... so that's all folks !

User avatar
mike acker
Posts: 131
Joined: 2017-06-28 21:23

Re: Recent dump of eMail data

#7 Post by mike acker »

Head_on_a_Stick wrote:
mike acker wrote:thoughts, anyone?
Enable two-factor authentication.
thanks
i've been thinking the same: 2FA is probably a good plan.
Viva la Resistencia

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Recent dump of eMail data

#8 Post by bw123 »

Since the servers have already been breached to obtain the passwords, how would 2fa keep them from breaching or faking the 2fa auth code? Would they not already possibly have that data? I chose not to use it so far, because all it does is keep me from signing on with a different device, then all I need is a pw to say, "yeah it was me." So what kind of security is that?
Last edited by bw123 on 2019-02-07 20:16, edited 1 time in total.
resigned by AI ChatGPT

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Recent dump of eMail data

#9 Post by Head_on_a_Stick »

bw123 wrote:Would they not already possibly have that data?
Only if they had your mobile phone ;)

The authentication codes are freshly generated each time.
deadbang

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Recent dump of eMail data

#10 Post by bw123 »

Head_on_a_Stick wrote:
bw123 wrote:Would they not already possibly have that data?
Only if they had your mobile phone ;)

The authentication codes are freshly generated each time.
Yeah, they are generated from code on a server that has been breached. It's like shutting the stall door after the horse is out of the barn and in the neighbors orchard.

Anyway, 2fa still doesn't make email private or secure, every system between you and a mail server can copy the packets sent, it's a network. Also, the server themselves are obviously not secure, they have employees with access.

It's just my opinion, but a lot of the "hacks" reported really don;t seem to be hackers. It's just people with a thumb drive half the time. The media calls it a hack to make it sound sexy, but it's probably just dumb people doing something for money.

What do we expect from "free" email anyway?
resigned by AI ChatGPT

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Recent dump of eMail data

#11 Post by Head_on_a_Stick »

bw123 wrote:Yeah, they are generated from code on a server that has been breached. It's like shutting the stall door after the horse is out of the barn and in the neighbors orchard.
Well I would hope that any breaches would be temporary in nature but you do raise some good points, thanks for that.
deadbang

User avatar
mike acker
Posts: 131
Joined: 2017-06-28 21:23

Re: Recent dump of eMail data

#12 Post by mike acker »

Head_on_a_Stick wrote:
bw123 wrote:Would they not already possibly have that data?
Only if they had your mobile phone ;)

The authentication codes are freshly generated each time.
interesting discussion here

that the attacker has your mobil/cell number should be assumed. intercepting the call is a little more difficult -- i think a sim card swap is needed to do it -- i.e. i have to have a "burner" phone that i put a sim card in with your phone number and carrier ID

from what i've read this is not impossible. still the objective is to be tough enough to discourage the attack and cause the hacker to look elsewhere for an easier target

i think the 2FA idea could help

these problems always lead back to the same question: how do we authenticate identification in a digital world, -- particularly a digital world in which most if not all of our traditional PII has long since be compromised, and sold

i think most of us on a forum here will realize the PGP/GnuPG could solve this. at the same time we realize that commercial interests detest the idea as they will see it as overly complex "for most users". That may be a specious argument for some: their real concern being that the PGP/GnuPG method would succeed.

as I see it while the PGP/GnuPG solution has already been developed I don't see much prospect for general adoption of that method. which is unfortunate: mathematics aside the need to verify the identity of references has always existed -- and always will exist. It's a chore, no doubt, but the chores which result from neglect are vastly more onerous.
Viva la Resistencia

Post Reply