Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Recent dump of eMail data
- mike acker
- Posts: 131
- Joined: 2017-06-28 21:23
Recent dump of eMail data
thoughts regarding the so called "megabreach" -- as reported by Krebs et al
Krebs/Megabreach
Thoughts:
Users may have used eMail addresses as User_ID on some websites. And, in many cases, such web sites will offer help: If you "forgot your password": they send you a new one -- to your eMail address.
obviously, if your eMail password is compromised -- an attacker could then log into your eMail -- and recover the new password to <whatever>.
I really don't know how serious this risk is but I changed some passwords anyway, as a precaution.
I had received a phishing e/mail "from me" and "to me" -- an extortion,.... the message was poorly done, an obvious bluff. Here, most of us will be aware that the from address on an eMail can easily be spoofed: creating a "from me" "to me" eMail doesn't mean then actual sender accessed the "from me" account. Still, in view of the recent reports of stolen eMail addresses and passwords -- I made the changes, anyway.
thoughts, anyone?
Krebs/Megabreach
Thoughts:
Users may have used eMail addresses as User_ID on some websites. And, in many cases, such web sites will offer help: If you "forgot your password": they send you a new one -- to your eMail address.
obviously, if your eMail password is compromised -- an attacker could then log into your eMail -- and recover the new password to <whatever>.
I really don't know how serious this risk is but I changed some passwords anyway, as a precaution.
I had received a phishing e/mail "from me" and "to me" -- an extortion,.... the message was poorly done, an obvious bluff. Here, most of us will be aware that the from address on an eMail can easily be spoofed: creating a "from me" "to me" eMail doesn't mean then actual sender accessed the "from me" account. Still, in view of the recent reports of stolen eMail addresses and passwords -- I made the changes, anyway.
thoughts, anyone?
Viva la Resistencia
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
Re: Recent dump of eMail data
Enable two-factor authentication.mike acker wrote:thoughts, anyone?
deadbang
- GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: Recent dump of eMail data
I think any one dumb enough to use their e-mail address as a username, (user_ID), deserves the consequences.Users may have used eMail addresses as User_ID on some websites.
On another forum, we do them a favour and admins change the username to a non e-mail address.
"What we expect you have already Done"
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
-
- Posts: 1939
- Joined: 2006-04-21 11:19
- Location: Sol Sector
- Has thanked: 1 time
- Been thanked: 2 times
Re: Recent dump of eMail data
Unfortunately, some websites don't ask you to choose a username -- they automatically use your e-mail address.
Phil
Phil
Freespoke is a new search engine that respects user privacy and does not engage in censorship.
- GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: Recent dump of eMail data
I don't recall ever seeing that on any sites I visited and registered to, but if I did I certainly would not use my real e-mail address, I suppose , if it was essential I might get one of those disposable e-mails, so I could get registered, but more then likely I would simply just not use or register to any website like that.
I think that most of the kind of websites that do something like that , also are involved in selling the data they collect. Who knows ? I also think that maybe I don't see the point of this topic, here on Debian User Forums, I know , it is general discussion:
I think that most of the kind of websites that do something like that , also are involved in selling the data they collect. Who knows ? I also think that maybe I don't see the point of this topic, here on Debian User Forums, I know , it is general discussion:
But I fail to see how this is a "aspect of Debian", or how it relates to Debian at all, besides the fact that most people that use Debian , probably use e-mail as well, but any way, what ever,General Discussion
Here you can discuss every aspect of Debian. Note: not for support requests!
My thoughts are it is just another topic where I will need to watch for any spam that might get posted, on a side not, I was not impressed with the "blog" at Krebs/Megabreach either, not the sort of site I am interested in. I could go on, and tell about some more thoughts, but people would probably get mad and claim I am rude,etc,... so that's all folks !thoughts, anyone?
- mike acker
- Posts: 131
- Joined: 2017-06-28 21:23
Re: Recent dump of eMail data
thanksHead_on_a_Stick wrote:Enable two-factor authentication.mike acker wrote:thoughts, anyone?
i've been thinking the same: 2FA is probably a good plan.
Viva la Resistencia
Re: Recent dump of eMail data
Since the servers have already been breached to obtain the passwords, how would 2fa keep them from breaching or faking the 2fa auth code? Would they not already possibly have that data? I chose not to use it so far, because all it does is keep me from signing on with a different device, then all I need is a pw to say, "yeah it was me." So what kind of security is that?
Last edited by bw123 on 2019-02-07 20:16, edited 1 time in total.
resigned by AI ChatGPT
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
Re: Recent dump of eMail data
Only if they had your mobile phonebw123 wrote:Would they not already possibly have that data?
The authentication codes are freshly generated each time.
deadbang
Re: Recent dump of eMail data
Yeah, they are generated from code on a server that has been breached. It's like shutting the stall door after the horse is out of the barn and in the neighbors orchard.Head_on_a_Stick wrote:Only if they had your mobile phonebw123 wrote:Would they not already possibly have that data?
The authentication codes are freshly generated each time.
Anyway, 2fa still doesn't make email private or secure, every system between you and a mail server can copy the packets sent, it's a network. Also, the server themselves are obviously not secure, they have employees with access.
It's just my opinion, but a lot of the "hacks" reported really don;t seem to be hackers. It's just people with a thumb drive half the time. The media calls it a hack to make it sound sexy, but it's probably just dumb people doing something for money.
What do we expect from "free" email anyway?
resigned by AI ChatGPT
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
Re: Recent dump of eMail data
Well I would hope that any breaches would be temporary in nature but you do raise some good points, thanks for that.bw123 wrote:Yeah, they are generated from code on a server that has been breached. It's like shutting the stall door after the horse is out of the barn and in the neighbors orchard.
deadbang
- mike acker
- Posts: 131
- Joined: 2017-06-28 21:23
Re: Recent dump of eMail data
interesting discussion hereHead_on_a_Stick wrote:Only if they had your mobile phonebw123 wrote:Would they not already possibly have that data?
The authentication codes are freshly generated each time.
that the attacker has your mobil/cell number should be assumed. intercepting the call is a little more difficult -- i think a sim card swap is needed to do it -- i.e. i have to have a "burner" phone that i put a sim card in with your phone number and carrier ID
from what i've read this is not impossible. still the objective is to be tough enough to discourage the attack and cause the hacker to look elsewhere for an easier target
i think the 2FA idea could help
these problems always lead back to the same question: how do we authenticate identification in a digital world, -- particularly a digital world in which most if not all of our traditional PII has long since be compromised, and sold
i think most of us on a forum here will realize the PGP/GnuPG could solve this. at the same time we realize that commercial interests detest the idea as they will see it as overly complex "for most users". That may be a specious argument for some: their real concern being that the PGP/GnuPG method would succeed.
as I see it while the PGP/GnuPG solution has already been developed I don't see much prospect for general adoption of that method. which is unfortunate: mathematics aside the need to verify the identity of references has always existed -- and always will exist. It's a chore, no doubt, but the chores which result from neglect are vastly more onerous.
Viva la Resistencia