|
I was at a restaurant earlier today when my phone had notified me that there was an issue authenticating my Gmail account. I thought nothing of it and assumed it was a connection issue. When I arrived home, however, I attempted to log onto my e-mail account and the password had been changed. Luckily I had another active e-mail account which I had the password reset to.
I generally am very secure when it comes to using computers and other technology, I have a virus scanner running constantly, and scan my whole computer often. Aside from that, I'm generally intelligent enough to avoid common trojan/virus traps on the internet. I also use separate passwords for everything I do, aside from one thing...
I realized that my old PSN password was the same as my Gmail password was. I changed my PSN password when the whole compromise deal went down, but didn't realize that my password for my e-mail was the same (I'm always logged in on my personal computer/phone, so I never needed to enter it).
Incidentally the attacker was from Seoul in South Korea. I've looked around a bit and have found no way to report the attack to Google, or whoever I should report such an incident to. If anybody has any information on how/where to report such an incident it would be greatly appreciated.
Finally, if you have a PSN account, and don't have 2-step verification enabled on your Gmail account/share any passwords, get on fixing that. I had nothing of importance in my account and most of my other accounts/information seemed safe. You may not be so lucky.
|
I basically have a few sets of pw's I rotate to avoid such a problem:
1. email - gets its own 2. more secure stuff like banking, online credit card balance, etc (usually each is different) 3. basically everything else (forums, etc)
this way, if one does get compromised, it's not a big deal. especially not the forum/random signup ones.
i don't see why you'd need 2 step verification if you changed your pw and security questions already, unless the korean hacker is clairvoyant. lol. once you changed everything and go to the ip logs and click "sign out all sessions", it's basically impossible for the hacker to get back in. i just find it annoying when i need to check email and I have to always reach for my phone to get the sms code, not much point if you stay vigilant.
|
It's possible that you used your gmail to register on a shady website and used the same password as your gmail.
does that sentence make sense? i'm very tired X(
shady website registration: xxx@gmail.com password1
your gmail login: xxx password1
|
I enabled 2-step verification on Gmail soon after the PSN fiasco just because that's an account I never wanted viewed by anyone else but me.
|
On May 27 2011 14:00 Cambium wrote: It's possible that you used your gmail to register on a shady website and used the same password as your gmail.
does that sentence make sense? i'm very tired X(
shady website registration: xxx@gmail.com password1
your gmail login: xxx password1
I understand what you're saying, and I've never done that. My e-mail had a unique password until I got a PSN account. I have a few passwords that I use for things that I don't really care about, and I am sure to never use my e-mail password for anything that I need my e-mail to register for.
Ballasdontcry, I've already done everything you've stated, and as I said I'm pretty sure that the compromise was due to the PSN issue about a month ago. Just throwing a warning out there for anybody who may have missed something like I apparently did.
|
@Zerste
glad that your carefulness has paid off
Also, thanks for warning
|
yea my hotmail got hacked after psn thing happened. i used the same pw for it (i dont buy stuff on psn so i didnt consider it important). I used it to subscribe to junk stuff, forums, etc. but after losing the acct i realized it was a bit more important to me than i had thought.
it caused me alot of headache. and it probably had alot of personal info than i wanted it to be. but luckily it wasn't my main email acct. Whew.
|
This happened to me yesterday. And I was logged into my gmail, fortunately so I found out fast. Tried to log in my gmail on different laptop but couldn't and had to change my password.
|
On May 27 2011 14:10 Hostile wrote: I enabled 2-step verification on Gmail soon after the PSN fiasco just because that's an account I never wanted viewed by anyone else but me.
Definitely do this. I was getting hacked up and down the wall, had numerous random security precautions, changed passwords constantly, and after I got the google authenticator (aka 2-step verification), I've had no problems since. It's sort of a paranoid move, but you really cannot go wrong with that. Good luck!
|
same happened to my gmail account a month ago, had a random login from china as well as one from seoul. no password change though. guess they dl'ed all the emails (nothing important) and thats it. changed my password, hasnt happened again since then.
|
I suggest getting several gmail accounts. I have 3 different accounts with a set purpose for each (Junk, Work, Personal). All three have different passwords. Atleast then if you get 'hacked' you dont end up losing everything.
|
If you're using an anti-virus in the first place, that's a sign you're already doing something wrong. If you're the kind of person who use an anti-virus I highly recommend getting an authenticator for anything important to you.
|
So.
The PSN thing right. Did the hackers actually get PASSWORDS?... i.e. they were stored as PLAIN TEXT?! No hashing? No salting?
WHAT?!
|
On May 27 2011 16:19 VIB wrote: If you're using an anti-virus in the first place, that's a sign you're already doing something wrong. If you're the kind of person who use an anti-virus I highly recommend getting an authenticator for anything important to you.
Why would using Anti-virus software be wrong? It is the smart thing to do. Unless you're a security ICT professional with the weird hobby to remove worms and viruses from your computer on daily basis you should be running some anti-virus/anti-spyware software. Especially normal users.
What are you smoking? :S
|
So they attempted to reset my battle.net password, and they succeeded because when I went to log on it told me my password was incorrect. Luckily I had already enabled the 2 step verification for my google account and so they could not log into it to get any further. I reset my password for my battle.net account again, and so it should be okay now.
Now I'm just wondering what else they made off with...
On May 27 2011 16:19 VIB wrote: If you're using an anti-virus in the first place, that's a sign you're already doing something wrong. If you're the kind of person who use an anti-virus I highly recommend getting an authenticator for anything important to you.
There's no such thing as too much security. Apparently I had not enough.
|
The problem with anti-virus software is that it takes up resources, gives users a false sense of security, and flags false positives. You're plenty safe just by updating your programs and avoiding shady websites. I don't believe there's ever been a virus that exploited an unknown/unpatched vulnerability without the user's stupidity that would have been caught by anti-virus software. The only virus I've gotten in the last 10 years was when Razer's site got hacked on the same weekend as I got a new keyboard and the hacker put viruses in all the driver downloads. Anti-virus would have warned me about that I guess, but I probably would have thought it was wrong and installed anyway.
|
On May 27 2011 16:47 Zerste wrote:So they attempted to reset my battle.net password, and they succeeded because when I went to log on it told me my password was incorrect. Luckily I had already enabled the 2 step verification for my google account and so they could not log into it to get any further. I reset my password for my battle.net account again, and so it should be okay now. Now I'm just wondering what else they made off with... Show nested quote +On May 27 2011 16:19 VIB wrote: If you're using an anti-virus in the first place, that's a sign you're already doing something wrong. If you're the kind of person who use an anti-virus I highly recommend getting an authenticator for anything important to you. There's no such thing as too much security. Apparently I had not enough.
It doesn't always have to be you. There's lots of websites with information about you. Every site you register can be hacked. Hell, Sony got hacked. If you would expect security somewhere, it 'd be at a big company like Sony. So you are absolutely right, one can't be too carefull.
And I would seriously consider changing ALL passwords you have. That way no matter how much they stole, they won't be able to acces any account of you anymore.(I do understand that is a lot of work though)
I hope you won't have anymore trouble from here on.
|
On May 27 2011 13:57 ballasdontcry wrote: I basically have a few sets of pw's I rotate to avoid such a problem:
1. email - gets its own 2. more secure stuff like banking, online credit card balance, etc (usually each is different) 3. basically everything else (forums, etc)
this way, if one does get compromised, it's not a big deal. especially not the forum/random signup ones.
i don't see why you'd need 2 step verification if you changed your pw and security questions already, unless the korean hacker is clairvoyant. lol. once you changed everything and go to the ip logs and click "sign out all sessions", it's basically impossible for the hacker to get back in. i just find it annoying when i need to check email and I have to always reach for my phone to get the sms code, not much point if you stay vigilant.
Once your email is compromised, so is your 3. point, as all passwords are linked to email.
|
On May 27 2011 16:56 Blasts wrote:Show nested quote +On May 27 2011 16:47 Zerste wrote:So they attempted to reset my battle.net password, and they succeeded because when I went to log on it told me my password was incorrect. Luckily I had already enabled the 2 step verification for my google account and so they could not log into it to get any further. I reset my password for my battle.net account again, and so it should be okay now. Now I'm just wondering what else they made off with... On May 27 2011 16:19 VIB wrote: If you're using an anti-virus in the first place, that's a sign you're already doing something wrong. If you're the kind of person who use an anti-virus I highly recommend getting an authenticator for anything important to you. There's no such thing as too much security. Apparently I had not enough. It doesn't always have to be you. There's lots of websites with information about you. Every site you register can be hacked. Hell, Sony got hacked. If you would expect security somewhere, it 'd be at a big company like Sony. So you are absolutely right, one can't be too carefull. And I would seriously consider changing ALL passwords you have. That way no matter how much they stole, they won't be able to acces any account of you anymore.(I do understand that is a lot of work though) I hope you won't have anymore trouble from here on.
Thanks. I've been changing any passwords that have given me issue. The only problem is I'm not quite sure of all of the accounts that are of importance to me off the top of my head. When I go to log onto them and find that they're locked is when I'll realize and reset them. Probably more work that way but I've changed everything I can think of.
I'm paranoid about my banking stuff though. I'm pretty sure none of the information obtainable through my e-mail was telling, but I might request a new card/change of pin. I've already changed my online banking password, but still...
|
On May 27 2011 17:02 MaxwellE wrote:Show nested quote +On May 27 2011 13:57 ballasdontcry wrote: I basically have a few sets of pw's I rotate to avoid such a problem:
1. email - gets its own 2. more secure stuff like banking, online credit card balance, etc (usually each is different) 3. basically everything else (forums, etc)
this way, if one does get compromised, it's not a big deal. especially not the forum/random signup ones.
i don't see why you'd need 2 step verification if you changed your pw and security questions already, unless the korean hacker is clairvoyant. lol. once you changed everything and go to the ip logs and click "sign out all sessions", it's basically impossible for the hacker to get back in. i just find it annoying when i need to check email and I have to always reach for my phone to get the sms code, not much point if you stay vigilant. Once your email is compromised, so is your 3. point, as all passwords are linked to email.
I think the point is that once 3 is compromised 1 isn't, that's why 3 get's the same passwords anyway, it's not that important or secure. I use something similar.
|
|
|
|