Go Back   Team-BHP > Around the Corner > Shifting gears


Reply
 
Thread Tools Search this Thread
Old 11th September 2014, 13:04   #16
BHPian
 
hellmet's Avatar
 
Join Date: Oct 2005
Location: GTA
Posts: 810
Thanked: 636 Times
Default re: Gmail Password Leak or probable credential compromise on other websites?

Quote:
Originally Posted by pranxter View Post
This is not to scare anybody or create FUD, but I am just trying to figure out few things..
What I am worried about and indicated in my first post is not about gmail password being leaked. Those might be for third party services where gmail is used for logging in or for account signup.

The password it listed actually matches with the password I had set for Team BHP. So I have reasons to doubt if the credentials of the users in the forum might have been indeed leaked (may be in the past or it was harvested over a period of time).

Apparently, I got hold of the email dumps and it has only the first 2 character of the password. While going through this file I noticed couple of email IDs with 'teambhp' suffixed to them and one of them was admin+above keyword.

Now, If it's indeed the admin and the password was not changed I would be worried!

I used 'grep' incase you are wondering if I went through 5 million text lines
Well, me thinks the same. It shows me my current TBHP password. I'm going to go ahead and change it immediately!
hellmet is offline   Reply With Quote
Old 11th September 2014, 13:15   #17
BHPian
 
Join Date: May 2008
Location: Bangalore
Posts: 181
Thanked: 141 Times
Default re: Gmail Password Leak or probable credential compromise on other websites?

Can I take this opportunity to advice that everyone should use something like lastpass password manager and generate random passwords for all websites they sign up.
It take very less time to set it up and very easy to use
etrast75 is offline   Reply With Quote
Old 11th September 2014, 13:17   #18
BHPian
 
Join Date: Aug 2009
Location: Trivandrum
Posts: 905
Thanked: 353 Times
Default re: Gmail Password Leak or probable credential compromise on other websites?

If your email id is not already listed, don't you think that you are supplying your email id to them by typing out your email id for checking? Looks like a new way of harvesting email ids.
jinojohnt is offline   Reply With Quote
Old 11th September 2014, 13:20   #19
BHPian
 
Join Date: Feb 2009
Location: Bangalore
Posts: 34
Thanked: 11 Times
Default

Quote:
Originally Posted by etrast75 View Post
Can I take this opportunity to advice that everyone should use something like lastpass password manager and generate random passwords for all websites they sign up.
It take very less time to set it up and very easy to use
+1 to that recommendation. There are also utilities like Keepass in addition to Lastpass that does a good job. I am wary of Lastpass because its On Cloud while with Keepass I have control becuase it is stored locally.

More Importantly, Never re-use the password elsewhere.

Quote:
Originally Posted by hellmet View Post
Well, me thinks the same. It shows me my current TBHP password. I'm going to go ahead and change it immediately!
Houston, We have a Problem!!!

If other members can check and validate, we will have to request Admins to do force-reset the passwords of all teambhp users. as a precautionary measure to minimize the chances of unauthorized logins.

And if you are wary of putting your email address online at isleaked dotcom site, you can use
https://haveibeenpwned.com/

Site is maintained by Troy Hunt, a respectable figure in Information Security Field.

Also, if you do not want key in email online at all, PM me as I have the download of the list and I can check and let you know the first character of your password, If its indeed the same one used for TeamBhp Forum login, change it ASAP. You will have to trust me on this

Last edited by Rehaan : 11th September 2014 at 15:09. Reason: Merging consecutive posts.
pranxter is offline   Reply With Quote
Old 11th September 2014, 14:49   #20
Team-BHP Support
 
Rehaan's Avatar
 
Join Date: Feb 2004
Location: Bombay
Posts: 22,229
Thanked: 21,884 Times
Default re: Gmail Password Leak or probable credential compromise on other websites?

Two things:

1) Never use the same password in any two sites.

2) When it comes to securing your gmail: TURN ON 2-FACTOR AUTHENTICATION FOR GOOGLE.

I'm gonna say that 3 more times:
TURN ON 2-STEP AUTHENTICATION FOR GOOGLE !!
TURN ON 2-STEP AUTHENTICATION FOR GOOGLE !!!!
TURN ON 2-STEP AUTHENTICATION FOR GOOGLE !!!!!!!!!!!!

Turn it on from here:
https://support.google.com/accounts/answer/180744?hl=en


This will ONLY ask you to receive an SMS and verify the code the FIRST time you sign in on a NEW device that you've never used before in your life. It happens so infrequently that it's really not a bother. We barely use devices that are not our own these days.

If you can't receive SMSs for some reason, it also has the "call me and read out my code" option.

If you're worried you don't have your phone with you, Google will also give you 10 'one-time use' codes, that you can either keep written in your wallet, or email to yourself at your SECONDARY (and less important) account.

Think about:
a) Even if you're supremely careful with your password, it's vulnerabilities in sites & systems that could still leak it
b) Imagine losing all your Google related data and never getting it back (scary)
c) Imagine someone gaining access to all your private gmail data
d) Having a spammer send questionable emails to ALL your business contacts
e) Having a hacker get access to EVERY SINGLE account that you have linked to your gmail account (twitter, instagram, bank accounts, facebook, project management, etc) and the damage that could do!!

Turn this on now!




^ It makes your account so secure, that you could literally post your password in this thread and its unlikely that any hacker would be able to gain access to your account.


cya
R

Last edited by Rehaan : 11th September 2014 at 15:07.
Rehaan is offline   Reply With Quote
Old 11th September 2014, 15:12   #21
Team-BHP Support
 
Rehaan's Avatar
 
Join Date: Feb 2004
Location: Bombay
Posts: 22,229
Thanked: 21,884 Times
Default re: Gmail Password Leak or probable credential compromise on other websites?

@Pranxter,

Thanks for taking the initiative to point this out.

Quote:
Originally Posted by pranxter View Post
The password it listed actually matches with the password I had set for Team BHP.
Are you 1000% sure you haven't used the same password elsewhere?

Like others on this thread have said, this sounds like the collection of phished accounts.

My addresses (for 2 TBHP accounts - active for 10 & 8 years respectively) don't show up in the list.

Quote:
Originally Posted by pranxter View Post
Apparently, I got hold of the email dumps and it has only the first 2 character of the password. While going through this file I noticed couple of email IDs with 'teambhp' suffixed to them and one of them was admin+above keyword.
Doesn't sound like an email address we use. Is it a gmail one? Could you please PM me the full address so there's no misunderstanding here.

Thanks!
R

Last edited by Rehaan : 11th September 2014 at 15:16.
Rehaan is offline   Reply With Quote
Old 11th September 2014, 15:49   #22
BHPian
 
Join Date: Feb 2009
Location: Bangalore
Posts: 34
Thanked: 11 Times
Default re: Gmail Password Leak or probable credential compromise on other websites?

Quote:
Originally Posted by Rehaan View Post
Could you please PM me the full address so there's no misunderstanding here.

Thanks!
R
Sent you a message.

Just a question:Are the passwords stored in plain text or is it encrypted, hashed & salted ?

That would clarify few things
pranxter is offline   Reply With Quote
Old 11th September 2014, 16:21   #23
BHPian
 
hellmet's Avatar
 
Join Date: Oct 2005
Location: GTA
Posts: 810
Thanked: 636 Times
Default re: Gmail Password Leak or probable credential compromise on other websites?

Quote:
Originally Posted by Rehaan View Post

2) When it comes to securing your gmail: TURN ON 2-FACTOR AUTHENTICATION FOR GOOGLE.

R
This is golden piece of advice. You can turn this on even on some banking sites, too. Citibank has it!
hellmet is offline   Reply With Quote
Old 12th September 2014, 09:52   #24
BHPian
 
Join Date: Mar 2005
Location: goa
Posts: 979
Thanked: 43 Times
Angry re: Gmail Password Leak or probable credential compromise on other websites?

Quote:
Originally Posted by filcord View Post
I cannot see any first two characters of any password being shown. All it says is that my email address is included
Correction. One can see the first two characters if on inputs the entire email address, without asterisks. In my case it's the password I use for some sites, not my gmail password. Going to sit and change one by one.... Groan!
filcord is offline   Reply With Quote
Old 12th September 2014, 10:41   #25
BHPian
 
Join Date: Feb 2009
Location: Bangalore
Posts: 34
Thanked: 11 Times
Default re: Gmail Password Leak or probable credential compromise on other websites?

Quote:
Originally Posted by filcord View Post
Correction. One can see the first two characters if on inputs the entire email address, without asterisks. In my case it's the password I use for some sites, not my gmail password. Going to sit and change one by one.... Groan!
@filcord by any chance is it also the same password that you used for logging into this forum? Pls confirm

If yes, ofcourse change it ASAP.
pranxter is offline   Reply With Quote
Old 12th September 2014, 12:17   #26
BHPian
 
Join Date: Mar 2005
Location: goa
Posts: 979
Thanked: 43 Times
Default re: Gmail Password Leak or probable credential compromise on other websites?

Quote:
Originally Posted by pranxter View Post
@filcord by any chance is it also the same password that you used for logging into this forum? Pls confirm

If yes, ofcourse change it ASAP.
yes it is, double !
But the odd thing is, It is not the email address I use for this forum. I use an entirely different one, from another provider, so it looks like the leak happened elsewhere, not at this forum?

Last edited by filcord : 12th September 2014 at 12:18.
filcord is offline   Reply With Quote
Old 12th September 2014, 18:09   #27
BHPian
 
virgopal's Avatar
 
Join Date: Feb 2008
Location: Bangalore,Mysore
Posts: 183
Thanked: 77 Times
Thumbs up Re: Gmail Password Leak or probable credential compromise on other websites?

Quote:
Originally Posted by Rehaan View Post
2) When it comes to securing your gmail: TURN ON 2-FACTOR AUTHENTICATION FOR GOOGLE.
Thanks a lot Rehaan for this very important tip. Now, I have enabled two factor authentification for gmail on my PC.

Last edited by Rehaan : 12th September 2014 at 18:11. Reason: Shortening quote. Adding spaces after punctuation marks. Glad you've turned it on ;)
virgopal is offline   Reply With Quote
Old 12th September 2014, 18:29   #28
BHPian
 
Hayek's Avatar
 
Join Date: Jul 2011
Location: Bombay
Posts: 700
Thanked: 1,592 Times
Default

The password I used for the email account I sign into Team BHP with, and my Team BHP account was compromised. However, I must admit that it was a lazy password (one that figures in standard password lists) that I used for various forums I log into. Have now changed to something unique for team BHP and for that account.
Hayek is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads
Thread Thread Starter Forum Replies Last Post
Gmail users: Did anyone try any Gmail spam recipies? sandeepmdas Shifting gears 2 19th October 2009 19:40
Find your Stolen Vehicle @ http://www.stolen.in Edit: And other similar websites dadu The Indian Car Scene 9 16th October 2009 02:48
Probable Cars to be launched in 2009 kpbhatt The Indian Car Scene 1 6th March 2009 15:34


All times are GMT +5.5. The time now is 21:36.

Copyright 2000 - 2017, Team-BHP.com
Proudly powered by E2E Networks