1. Due to issues with external spam filters, QQ is currently unable to send any mail to Microsoft E-mail addresses. This includes any account at live.com, hotmail.com or msn.com. Signing up to the forum with one of these addresses will result in your verification E-mail never arriving. For best results, please use a different E-mail provider for your QQ address.
    Dismiss Notice
  2. For prospective new members, a word of warning: don't use common names like Dennis, Simon, or Kenny if you decide to create an account. Spammers have used them all before you and gotten those names flagged in the anti-spam databases. Your account registration will be rejected because of it.
    Dismiss Notice
  3. Since it has happened MULTIPLE times now, I want to be very clear about this. You do not get to abandon an account and create a new one. You do not get to pass an account to someone else and create a new one. If you do so anyway, you will be banned for creating sockpuppets.
    Dismiss Notice
  4. If you wish to change your username, please ask via conversation to tehelgee instead of asking via my profile. I'd like to not clutter it up with such requests.
    Dismiss Notice
  5. Due to the actions of particularly persistent spammers and trolls, we will be banning disposable email addresses from today onward.
    Dismiss Notice
  6. A note about the current Ukraine situation: Discussion of it is still prohibited as per Rule 8
    Dismiss Notice
  7. The rules regarding NSFW links have been updated. See here for details.
    Dismiss Notice
  8. The testbed for the QQ XF2 transition is now publicly available. Please see more information here.
    Dismiss Notice

User Account Hack Attempt

Discussion in 'Suggestions & Bugs' started by wasprider, Apr 1, 2020.

  1. wasprider

    wasprider Experienced.

    Joined:
    Jan 30, 2015
    Messages:
    2,782
    Likes Received:
    13,277
    Not an April Fool's joke.

    Someone attempted to log in using my credentials.

    Luckily I had 2FA on, and I've changed my password in response. I generally use password managers and password generators, so the password is not likely to have been guessed.

    That seems like the password storage is not secure, or someone put in a fair amount of effort to hack in.

    Has this happened to anyone else recently?
     
    Ddmkm122 likes this.
  2. Biigoh

    Biigoh Primordial Tanuki Moderator

    Joined:
    Feb 19, 2013
    Messages:
    28,443
    Likes Received:
    111,710
    Ddmkm122 likes this.
  3. wasprider

    wasprider Experienced.

    Joined:
    Jan 30, 2015
    Messages:
    2,782
    Likes Received:
    13,277
    My old password was crap, so that's one reason it was easy to guess. And I was in a PM with Train Dodger, which probably didn't help if people were trying to work out from his account.
     
    Ddmkm122 likes this.
  4. alethiophile

    alethiophile Shadowed Philosopher Administrator

    Joined:
    Apr 26, 2013
    Messages:
    7,569
    Likes Received:
    52,859
    Was that password also used at any other online services?

    XF stores passwords properly hashed, so it's somewhat unlikely that someone server-side could get access to them in usable form. I'm still investigating that possibility, however.
     
    Ddmkm122 likes this.
  5. CrossyCross

    CrossyCross LADY OF LOVE

    Joined:
    Nov 18, 2013
    Messages:
    26,324
    Likes Received:
    318,179
    ....from my unqualified opinion it sounds like you just got clipped by people hunting down that retard, rather than specifically getting targeted.

    Good riddance to that dumbass. He's nothing but trouble.
     
    TmDagger, searcher8, Ddmkm122 and 2 others like this.
  6. wasprider

    wasprider Experienced.

    Joined:
    Jan 30, 2015
    Messages:
    2,782
    Likes Received:
    13,277
    No, or not anything in active use.

    That's what password managers are for, this was not changed in the migration. I've got some crappy passwords, and I'll be changing all of them.

    Apologies for the scramble.
     
    TmDagger, Ddmkm122, kinglugia and 2 others like this.
  7. CrossyCross

    CrossyCross LADY OF LOVE

    Joined:
    Nov 18, 2013
    Messages:
    26,324
    Likes Received:
    318,179
    I'm curious. After you've changed them can you say how crappy they were?
     
    Ddmkm122 likes this.
  8. wasprider

    wasprider Experienced.

    Joined:
    Jan 30, 2015
    Messages:
    2,782
    Likes Received:
    13,277
    I'd rather not. It'd be embarrassing. The weak passwords were for sites that didn't contain private information or credit card information.

    Unfortunately, I have written spicy stuff here, which could reflect on me IRL if they managed to associate it to me.
     
    TmDagger and Ddmkm122 like this.
  9. alethiophile

    alethiophile Shadowed Philosopher Administrator

    Joined:
    Apr 26, 2013
    Messages:
    7,569
    Likes Received:
    52,859
    One potential investigative avenue is to run your E-mail address through a service like haveibeenpwned.com to see if it was a part of any old data breaches.
     
    TmDagger, Ddmkm122, kinglugia and 2 others like this.
  10. wasprider

    wasprider Experienced.

    Joined:
    Jan 30, 2015
    Messages:
    2,782
    Likes Received:
    13,277
    Yep. Did that. But the way it says it is annoying.

    Looks like they're looking for breaches since the first time the email address was seen. Not sure how often to change it.

    Pasties are definite red flags, but I haven't been seeing strange activity on my accounts. Well, a lot more password resets it is.
     
    TmDagger, Ddmkm122 and alethiophile like this.
  11. tehelgee

    tehelgee The stern gaze of justice. Administrator

    Joined:
    Feb 12, 2013
    Messages:
    2,910
    Likes Received:
    12,688
    Could be that someone elsewhere has the name of wasprider and you got splash damage from people trying to use a compromised universal password of the other wasprider.
     
    TmDagger, Ddmkm122 and wasprider like this.
  12. magic9mushroom

    magic9mushroom BEST END.

    Joined:
    Feb 11, 2016
    Messages:
    3,789
    Likes Received:
    16,307
    Seems pretty unlikely that two people with the same username would also have the same password.

    Is it possible to tell if someone's logged in to your account (with your password)?
     
    Ddmkm122 likes this.
  13. tehelgee

    tehelgee The stern gaze of justice. Administrator

    Joined:
    Feb 12, 2013
    Messages:
    2,910
    Likes Received:
    12,688
    It's not uncommon for a person to use the same name across multiple sites, which is what I was suggesting. And the 2fa stopped whoever it was from getting into wasprider's account.
     
    TmDagger, Ddmkm122 and wasprider like this.
  14. wichajster

    wichajster Away

    Joined:
    Aug 22, 2017
    Messages:
    211
    Likes Received:
    560
    But 2fa typically activates only after someone gave correct password (is it happening this way also on QQ?). Still, it was mentioned as low quality one, so sharing it is not out of question.