Page 1 of 2

Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 11:31 am
by Tessa K
Is anyone else having more problems with security? I just got my first ever email from someone saying they'd got my Facebook password (which they had) and would reveal all my embarrassing secrets if I didn't pay them. I've now changed the pw. The end of the email said 'if you don't know how to buy bitcoin, don't waste my time'. Huh?

A friend of mine who works in security in the City said that hacking etc has gone up a lot since lockdown.

I've also noticed that the cold calls I got on my landline (despite being signed up to the Telephone Preference Service) have completely stopped. I suspect that's because before lockdown they came during the day when it would be mostly old people at home, who are considered more susceptible to con men calling. Now we're all home.

Anyway, I don't keep my embarrassing stuff on FB, it's in a box under the floorboards.

Re: Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 2:08 pm
by Herainestold
Tessa K wrote:
Thu Apr 23, 2020 11:31 am


Anyway, I don't keep my embarrassing stuff on FB, it's in a box under the floorboards.
As long as it is safe, so you can use it in your memoirs.

Re: Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 2:22 pm
by Blackcountryboy
Tessa K wrote:
Thu Apr 23, 2020 11:31 am
Is anyone else having more problems with security? I just got my first ever email from someone saying they'd got my Facebook password (which they had) and would reveal all my embarrassing secrets if I didn't pay them. I've now changed the pw. The end of the email said 'if you don't know how to buy bitcoin, don't waste my time'. Huh?

A friend of mine who works in security in the City said that hacking etc has gone up a lot since lockdown.

I've also noticed that the cold calls I got on my landline (despite being signed up to the Telephone Preference Service) have completely stopped. I suspect that's because before lockdown they came during the day when it would be mostly old people at home, who are considered more susceptible to con men calling. Now we're all home.

Anyway, I don't keep my embarrassing stuff on FB, it's in a box under the floorboards.
I have had a few of those Tessa, the last two said they had my password, they had a password I once used for Facebook but changed it some years ago.

There is something here about it, dated July 2018. https://www.businessinsider.com/new-ema ... ?r=US&IR=T

Re: Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 3:26 pm
by Bird on a Fire
You can check which of your accounts have been compromised here https://haveibeenpwned.com/ - it searches leaked files of user accounts for the email address you enter.

Worth changing your password for any that appear on that list.

Re: Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 3:28 pm
by Tessa K
Blackcountryboy wrote:
Thu Apr 23, 2020 2:22 pm
Tessa K wrote:
Thu Apr 23, 2020 11:31 am
Is anyone else having more problems with security? I just got my first ever email from someone saying they'd got my Facebook password (which they had) and would reveal all my embarrassing secrets if I didn't pay them. I've now changed the pw. The end of the email said 'if you don't know how to buy bitcoin, don't waste my time'. Huh?

A friend of mine who works in security in the City said that hacking etc has gone up a lot since lockdown.

I've also noticed that the cold calls I got on my landline (despite being signed up to the Telephone Preference Service) have completely stopped. I suspect that's because before lockdown they came during the day when it would be mostly old people at home, who are considered more susceptible to con men calling. Now we're all home.

Anyway, I don't keep my embarrassing stuff on FB, it's in a box under the floorboards.
I have had a few of those Tessa, the last two said they had my password, they had a password I once used for Facebook but changed it some years ago.

There is something here about it, dated July 2018. https://www.businessinsider.com/new-ema ... ?r=US&IR=T
That's useful, thanks. It shows how long it is since I changed my FB password. I knew there was nothing 'embarrassing' they could have on me but I was concerned about my security online generally so it was a salutary reminder about password management.

Re: Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 3:49 pm
by Nero
Bird on a Fire wrote:
Thu Apr 23, 2020 3:26 pm
You can check which of your accounts have been compromised here https://haveibeenpwned.com/ - it searches leaked files of user accounts for the email address you enter.

Worth changing your password for any that appear on that list.
The haveibeenpwned site tells my that I was pwned by a data breach from MyFitnessPal, which would be very peculiar because thats a service/app I've never used. I guess someone else could have signed up to their service using my email address, but that would be peculiar too. I've just checked my email, and sure enough I did get an alert from MyFitnessPal about two years ago, telling me about the breach.

Re: Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 4:12 pm
by Bird on a Fire
Nero wrote:
Thu Apr 23, 2020 3:49 pm
Bird on a Fire wrote:
Thu Apr 23, 2020 3:26 pm
You can check which of your accounts have been compromised here https://haveibeenpwned.com/ - it searches leaked files of user accounts for the email address you enter.

Worth changing your password for any that appear on that list.
The haveibeenpwned site tells my that I was pwned by a data breach from MyFitnessPal, which would be very peculiar because thats a service/app I've never used. I guess someone else could have signed up to their service using my email address, but that would be peculiar too. I've just checked my email, and sure enough I did get an alert from MyFitnessPal about two years ago, telling me about the breach.
I think the same account is used for some other fitness apps, like Endomondo, if you've used that?

Re: Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 4:14 pm
by shpalman
Bird on a Fire wrote:
Thu Apr 23, 2020 3:26 pm
You can check which of your accounts have been compromised here https://haveibeenpwned.com/ - it searches leaked files of user accounts for the email address you enter.

Worth changing your password for any that appear on that list.
The point is that you should change your password on any site you use for which you were using the same password, if you were in the habit of using the same password on different sites (and then get out of that habit).

Re: Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 4:25 pm
by Little waster
My rarely used Amazon account got hacked last month and the hacker locked me out of it and as it very conveniently stores your card details someone has been having a jolly time ordering random things and signing up to Dutch Netflix accounts.

Of course with the lockdown it took hours to get through to the bank to actually cancel the compromised card.

What has then followed is a month of kafkaesque conversations with Amazon where I had to set up a new account to report that the first one had been hacked and then have the same circular conversation with a variety of call centre staff regarding my inability to access my account because it has been hacked so therefore I can't change it's password, email address, or phone numbers because its been hacked and no I can't receive OTPs because you keep texting them to the hacker and no I can't tell you what the last purchase was because my account has been hacked.

Luckily it is only Amazon so it is just as well I can pop to the shops for anything I need ... oh.

Re: Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 4:28 pm
by Bird on a Fire
shpalman wrote:
Thu Apr 23, 2020 4:14 pm
Bird on a Fire wrote:
Thu Apr 23, 2020 3:26 pm
You can check which of your accounts have been compromised here https://haveibeenpwned.com/ - it searches leaked files of user accounts for the email address you enter.

Worth changing your password for any that appear on that list.
The point is that you should change your password on any site you use for which you were using the same password, if you were in the habit of using the same password on different sites (and then get out of that habit).
Good point - that's what I meant to say ;)

I am a shameless password-recycler for the majority of accounts I use, because I'd never remember them all otherwise (although these days it's getting hard to remember which sites want a number and special character vs just a number etc). My computers and primary email have stronger exceptions, but beyond that I'm not enormously worried if somebody can log into my facebook or whatever. There's nothing of interest there anyway.

I should probably look into using a properly secure online password manager, if such a thing can be relied upon to exist, but I don't like the idea of having a single central vulnerability, whether third-party (and therefore hackable) or local (and therefore reliant on my cheap/old/sh.t hardware not failing and/or remembering to back up regularly).

If people want to rearrange my pinterest board or look at naked photos or mod the scrutable forum, good luck to them.

Re: Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 4:30 pm
by Bird on a Fire
Little waster wrote:
Thu Apr 23, 2020 4:25 pm
My rarely used Amazon account got hacked last month and the hacker locked me out of it and as it very conveniently stores your card details someone has been having a jolly time ordering random things and signing up to Dutch Netflix accounts.
Yeah I've stopped storing cards on Amazon after I noticed they'll allow you to use the same cards repeatedly without asking for a CCV or anything. Seems totally insecure.

Re: Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 5:46 pm
by Nero
Bird on a Fire wrote:
Thu Apr 23, 2020 4:12 pm
I think the same account is used for some other fitness apps, like Endomondo, if you've used that?
Nope, I've never used any fitness apps/services of any flavour.

Re: Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 7:20 pm
by Fishnut
I've used the free version of LastPass for years and would highly recommend it. Easy to use, I've got the extension on my browsers and the app on my phone and tablet so all I need to remember is one password and it does the rest. I'm a bit lax at changing my passwords but thanks to this this thread I've just updated my main ones.

Re: Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 8:41 pm
by science_fox
Tessa K wrote:
Thu Apr 23, 2020 11:31 am
Is anyone else having more problems with security? I just got my first ever email from someone saying they'd got my Facebook password (which they had) and would reveal all my embarrassing secrets if I didn't pay them. I've now changed the pw. The end of the email said 'if you don't know how to buy bitcoin, don't waste my time'. Huh?

A friend of mine who works in security in the City said that hacking etc has gone up a lot since lockdown.

I've also noticed that the cold calls I got on my landline (despite being signed up to the Telephone Preference Service) have completely stopped. I suspect that's because before lockdown they came during the day when it would be mostly old people at home, who are considered more susceptible to con men calling. Now we're all home.

Anyway, I don't keep my embarrassing stuff on FB, it's in a box under the floorboards.
Note - many websites let you login using your FB account. It's not just about what's on FB but ti's also all of your contacts who may trust a link sent under your name, but also anything you use FB to login to.

Can anyone explain very simply to a not very IT savvy person how password managers work in practice?

Re: Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 9:02 pm
by Fishnut
science_fox wrote:
Thu Apr 23, 2020 8:41 pm
Can anyone explain very simply to a not very IT savvy person how password managers work in practice?
I'm not very IT savvy person but the way it seems to work - and I'm happy to be corrected - is that a password-protected list of passwords with a few extra bells and whistles. Every time you make a new password for a site it asks if you want to save it and then next time you're on the site it recognises that and logs in for you. If they get hacked then obviously you're vulnerable but I've not heard of any cases of that happening and because they're designed to keep passwords secure I'm guessing - fervently hoping - that they have all sorts of tech that is designed to prevent breaches. They're a more sophisticated version of using a password-protected document or carrying around a notebook of passwords.

Re: Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 9:15 pm
by Sciolus
I use Password Safe, which is an offline password manager.

Install software. Choose a memorable passphrase for it. Whenever a new site wants to create an account, you create a new entry in PWS with the name of the site and your username, and tell it to create a password* for you. When you need to login to a site, open PWS (entering your passphrase), scroll down to the site you want, and press Ctrl+C, then paste it into the website.

Make lots and lots of backups of the PWS database file.

A bit of a faff but if you let your browser remember the password to unimportant sites (Scrutable) it's not particularly burdensome. If there's a site you use frequently but which is security-critical (webmail, bank) you might be better using high-quality unique passphrases for them.

*You can specify the rules for the password, and I think I go with 20-character alphanumeric ones which are strong enough.

I believe LastPass and online managers streamline this a bit, but have larger but still hopefully small risk of being compromised. But I started used PWS before those were invented (or before I heard of them) so I never bothered changing.

Re: Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 9:33 pm
by Gfamily
I use the Chrome password manager as it works seamlessly across my android phone, PC and laptop. It remembers passwords when you first enter them, and pre-fills them when you are logging in again. It also generates randomised passwords when logging in to a new site, which avoids the temptation to have the same password for multiple sites.

You can check what password you have for each site via the browser 'settings' tab - which is helpful if an earlier password is shown to have been hacked (particularly if it's one that you might have reused).

Re: Lockdown hacking, blackmail and security

Posted: Thu Apr 23, 2020 9:36 pm
by Herainestold
Sciolus wrote:
Thu Apr 23, 2020 9:15 pm
I use Password Safe, which is an offline password manager.

Install software. Choose a memorable passphrase for it. Whenever a new site wants to create an account, you create a new entry in PWS with the name of the site and your username, and tell it to create a password* for you. When you need to login to a site, open PWS (entering your passphrase), scroll down to the site you want, and press Ctrl+C, then paste it into the website.

Make lots and lots of backups of the PWS database file.

A bit of a faff but if you let your browser remember the password to unimportant sites (Scrutable) it's not particularly burdensome. If there's a site you use frequently but which is security-critical (webmail, bank) you might be better using high-quality unique passphrases for them.

*You can specify the rules for the password, and I think I go with 20-character alphanumeric ones which are strong enough.

I believe LastPass and online managers streamline this a bit, but have larger but still hopefully small risk of being compromised. But I started used PWS before those were invented (or before I heard of them) so I never bothered changing.
So is it safer than sites that store your passwords online but are encrypted?

Do you have to have one for each of your devices?

It seems like a good idea if it works and a really bad one if some hacker breaches it.

Re: Lockdown hacking, blackmail and security

Posted: Fri Apr 24, 2020 11:11 am
by Tessa K
I now store passwords on a bit of paper hidden away. No one's going to hack that.

ETA Oops, just remembered to change my Amazon pw too. I don't log into anything else using my FB account.

Re: Lockdown hacking, blackmail and security

Posted: Fri Apr 24, 2020 11:22 am
by Martin Y
Tessa K wrote:
Fri Apr 24, 2020 11:11 am
I now store passwords on a bit of paper hidden away. No one's going to hack that.
I am one step more paranoid and have two bits of paper. One lists what the other's passwords are for. Too anally retentive? No, that would be keeping one in the left sock drawer and one in the right.

Yes, I appreciate that the extra security this affords is essentially nothing.

Still, there are a few key passwords which are only in my head so even if you get the list you don't get to log into my phone or laptop, nor my Gmail, bank, PayPal, Microsoft, Facebook (actually I suspect I've forgotten that one, which will be a bridge to cross in due course).

Re: Lockdown hacking, blackmail and security

Posted: Fri Apr 24, 2020 11:31 am
by Tessa K
Martin Y wrote:
Fri Apr 24, 2020 11:22 am
Tessa K wrote:
Fri Apr 24, 2020 11:11 am
I now store passwords on a bit of paper hidden away. No one's going to hack that.
I am one step more paranoid and have two bits of paper. One lists what the other's passwords are for. Too anally retentive? No, that would be keeping one in the left sock drawer and one in the right.

Yes, I appreciate that the extra security this affords is essentially nothing.

Still, there are a few key passwords which are only in my head so even if you get the list you don't get to log into my phone or laptop, nor my Gmail, bank, PayPal, Microsoft, Facebook (actually I suspect I've forgotten that one, which will be a bridge to cross in due course).
If you've forgotten the FB one they will email you a code to put in to change it. Or text you, however you've set it up.

Re: Lockdown hacking, blackmail and security

Posted: Fri Apr 24, 2020 11:38 am
by Bird on a Fire
Tessa K wrote:
Fri Apr 24, 2020 11:31 am
Martin Y wrote:
Fri Apr 24, 2020 11:22 am
Tessa K wrote:
Fri Apr 24, 2020 11:11 am
I now store passwords on a bit of paper hidden away. No one's going to hack that.
I am one step more paranoid and have two bits of paper. One lists what the other's passwords are for. Too anally retentive? No, that would be keeping one in the left sock drawer and one in the right.

Yes, I appreciate that the extra security this affords is essentially nothing.

Still, there are a few key passwords which are only in my head so even if you get the list you don't get to log into my phone or laptop, nor my Gmail, bank, PayPal, Microsoft, Facebook (actually I suspect I've forgotten that one, which will be a bridge to cross in due course).
If you've forgotten the FB one they will email you a code to put in to change it. Or text you, however you've set it up.
There are a few websites - Student Loans comes to mind - where I can never remember the passwords so I have to rely on resetting it every time I have to log in (annually, to confirm that I'm still in higher education and therefore exempt from repayments). In that case it's because they make you answer some pre-set security questions, and I honestly can't remember who I claimed was my "favourite teacher" or "favourite colour" in 2008.

Portuguese banks make you choose multiple pass-numbers of different lengths (between the two banks I use I have 4, 5, 6, 9, 10 and 12 digit numbers I occasionally need). Obviously I have them all written down, in plain text, on the notes app of my phone. OTOH my accounts only have money in for the first week of every month, so if someone hacks me they have a 75% chance of getting nothing.

Re: Lockdown hacking, blackmail and security

Posted: Fri Apr 24, 2020 11:53 am
by Brightonian
Martin Y wrote:
Fri Apr 24, 2020 11:22 am
Tessa K wrote:
Fri Apr 24, 2020 11:11 am
I now store passwords on a bit of paper hidden away. No one's going to hack that.
I am one step more paranoid and have two bits of paper. One lists what the other's passwords are for. Too anally retentive? No, that would be keeping one in the left sock drawer and one in the right.

Yes, I appreciate that the extra security this affords is essentially nothing.

Still, there are a few key passwords which are only in my head so even if you get the list you don't get to log into my phone or laptop, nor my Gmail, bank, PayPal, Microsoft, Facebook (actually I suspect I've forgotten that one, which will be a bridge to cross in due course).
I did the same for my father not long after he declared he was going to use the same password for everything. So now he has one notebook with entries for Gmail, Amazon etc. that each have a reference no. corresponding to an entry in another, hidden notebook that has passwords, CVV nos., account nos. etc. Works well for my technophobe father.

Re: Lockdown hacking, blackmail and security

Posted: Fri Apr 24, 2020 1:22 pm
by bagpuss
I use a formula for creating pretty much unique passwords for any purpose which I'm fairly sure I saw someone suggest on a previous forum and I shamelessly nicked the idea.

I have a sentence, the password is then made up of the first letters of this sentence with the addition of a special character/number or two and then a number of other letters and numbers interspersed, which are all derived from the website/software/whatever that the account is for.

The result is an almost always unique password that is nonetheless completely memorable/work-out-able without needing any password manager or writing anything down. The only downside is that I have, so far, come across 2 websites which don't permit the resulting password - in one case because it doesn't like special characters, in another case because the resulting password is too long (WTF?). Neither is a website I use terribly often, in fact I can't currently recall which they are, so I just reset my password when I come across a situation where my formula doesn't work.

Re: Lockdown hacking, blackmail and security

Posted: Fri Apr 24, 2020 3:36 pm
by Brightonian
bagpuss wrote:
Fri Apr 24, 2020 1:22 pm
I use a formula for creating pretty much unique passwords for any purpose which I'm fairly sure I saw someone suggest on a previous forum and I shamelessly nicked the idea.

I have a sentence, the password is then made up of the first letters of this sentence with the addition of a special character/number or two and then a number of other letters and numbers interspersed, which are all derived from the website/software/whatever that the account is for.

The result is an almost always unique password that is nonetheless completely memorable/work-out-able without needing any password manager or writing anything down. The only downside is that I have, so far, come across 2 websites which don't permit the resulting password - in one case because it doesn't like special characters, in another case because the resulting password is too long (WTF?). Neither is a website I use terribly often, in fact I can't currently recall which they are, so I just reset my password when I come across a situation where my formula doesn't work.
That's almost what I do (some characters from the website name, plus some characters from other words, and a sprinkling of some numbers and special characters), so maybe in a former parish I described what I did. If not, then maybe everyone has the same idea so we should be worried.

I keep a spreadsheet where I store hints to the words from which I pick characters etc. that make up the passwords.