Jump to content
Thai Visa Forum

Google: Compromised passwords notification


Recommended Posts

Five days ago, I got the following from Google.

 

gcpw.jpg.728f7de4a14c7a75495bb945e1f17f0f.jpg

 

I changed my Google password and then did some housekeeping and deleted a slew of saved passwords and logins for sites that I no longer access or have been "404'd".

 

Last night, I logged into my eBay account for the first time in many months. It prompted that I was logging in from a "different computer" and I went through a simple 'not a robot' verification procedure. I thought the "different computer" notice was strange since I only access eBay on my laptop and office computers and I was on my laptop.

 

Anyway, I was advised that my logins had been compromised, my password and security questions had been reset and I needed to get a PIN to continue to the Password reset.

 

ebpw.jpg.2f1d0141a8e05b6d3ebfaad45d6ec787.jpg

 

PIN received but when I went to the Change Password option, it required a confirmation SMS to my US phone number that has expired and no longer valid. Lacking any other options, I emailed their Security explaining the issue and asking for a workaround. Meanwhile, I am acquiring a new US phone number.

 

I am an infrequent eBay user and not a bulk buyer/seller. There was a message posted by a member on LinkedIn last week that LinkedIn had a significant data breach but so far, LinkedIn haven't messaged their members about it. Here's one article relating to this breach.

 

https://cybernews.com/news/stolen-data-of-500-million-linkedin-users-being-sold-online-2-million-leaked-as-proof-2/

 

I used their "personal data leak checker database" to check the four email addresses I use and my 'junk' account (not a gmail account) tested +ve.

 

pwck.jpg.303394f0e06b8175e1ddf56bce8f05dc.jpg

 

Apparently there was an earlier data breach on Facebook (I am not a member) so maybe a good time for those with multiple online accounts to do some housekeeping and forensics on their logins and passwords.

 

Stay safe online!

NL

 

Edited by NanLaew
  • Thanks 1
Link to post
Share on other sites
  • NanLaew changed the title to Google: Compromised passwords notification

Problem is that many people use one password for many sites. I did that in the past too. Then i got last pass and it remembers all the sites and there is just one main password. So now I dont care anymore if a site is hacked i got different passwords for all sites. Last pass made it possible otherwise i would not have done so as i would have to remember them all. 

 

 

Link to post
Share on other sites
15,212,645,925  Breached Accounts
2,563,218,607  Unique emails

checked my email leaked from at least 4 websites (I found their databases in public access) and this "2.5 bln unique emails" website found nothing. meh, they don't even have the BTC-e leak.

 

1 hour ago, robblok said:

Problem is that many people use one password for many sites.

 

now there is another huge problem - is that many people use same email for many sites. I used to do that years ago but after all those leaks began to appear in public I started registering a new fake email or using a junk mailbox for every single website.

 

  • Haha 1
Link to post
Share on other sites
On 4/21/2021 at 11:34 AM, NanLaew said:

It prompted that I was logging in from a "different computer"

This is the normal behaviour of many websites after you've cleaned your browser cache (which you should do at least once a month, anyway).

  • Like 1
Link to post
Share on other sites
On 4/21/2021 at 11:34 AM, NanLaew said:

Last night, I logged into my eBay account for the first time in many months. It prompted that I was logging in from a "different computer" and I went through a simple 'not a robot' verification procedure. I thought the "different computer" notice was strange since I only access eBay on my laptop and office computers and I was on my laptop.

 

This is typically the result of your ISP router getting a new dynamic IP address. It is very common and nothing to be concerned about.

Link to post
Share on other sites
On 4/21/2021 at 1:40 PM, robblok said:

Problem is that many people use one password for many sites. I did that in the past too. Then i got last pass and it remembers all the sites and there is just one main password. So now I dont care anymore if a site is hacked i got different passwords for all sites. Last pass made it possible otherwise i would not have done so as i would have to remember them all. 

 

 

 

 

I would not use any tool and I find ridiculous that people are not able to use different passwords for different websites.

It's so easy to set up a rule that allow to find each website password without having to remember it. Just remember the rule that is similar for all websites and that allow to create a different password based on this rule.

But it seems too difficult for most people, so funny 🙂

 

  • Like 1
Link to post
Share on other sites
2 minutes ago, salsajapan said:

 

 

I would not use any tool and I find ridiculous that people are not able to use different passwords for different websites.

It's so easy to set up a rule that allow to find each website password without having to remember it. Just remember the rule that is similar for all websites and that allow to create a different password based on this rule.

But it seems too difficult for most people, so funny 🙂

 

Because people use many different websites, i use over 50+ different websites with logon and some have their own limitations. Like you have to use Upper case and lower case and number and special things. So sure you could set up a rule or you can just use a too that does it for you.

 

I don't understand why people take the hard way when you can do it easy. But then again some people are funny like you said. 

  • Haha 1
Link to post
Share on other sites
4 minutes ago, robblok said:

Because people use many different websites, i use over 50+ different websites with logon and some have their own limitations. Like you have to use Upper case and lower case and number and special things. So sure you could set up a rule or you can just use a too that does it for you.

 

I don't understand why people take the hard way when you can do it easy. But then again some people are funny like you said. 

 

I am registered on hundreds websites...

my rules use special characters and numbers and capital letters, but when not available there is a backup rule that work when special characters or capital letters are not available...

 

yes ! correct ! you are so funny if you trust any tool / program where your passwords are stored, even encrypted....

See you again when you will post here whinning about your hacked passwords....

 

 

 

Edited by salsajapan
Link to post
Share on other sites
1 minute ago, salsajapan said:

 

I am registered on hundreds websites...

my rules use special characters and numbers and capital letters, but when not available there is a backup rule that work when special characters or capitla letters are not available...

 

Great.. for you and you know what, i don't even have to type anything as that tool remembers it all and all I have to do is remember the main password and done. Its easier and if only used on a computer its free. So no complaints. But sure if your system works then have fun with it.

  • Haha 1
Link to post
Share on other sites

OP :

I got the same message last week. It prompted me to spend several hours deleting/updating /checking all the passwords on my Roboform password manager against their list. Such managers are great but they allow you to collect lots of passwords that you've abandoned years ago. 

 

I was absolutely shocked to find that one of the passwords was for a very valuable financial account. That alone made it worth my effort. 

I also took the opportunity to move many of my account email addresses from the brazenly prying eyes of Google Gmail to a truly secure Protonmail account. 

 

In some cases I needed a check code they demanded to send to my USA phone number. Recently Comcast, my USA ISP, has terminated the VOIP service I was using so I no longer have a USA phone number. In any case, believe it or not, Comcsst/Xfinity never offered SMS service anyway. 

I would be interested to know what/how you will find another service. They are available but charge 3-7 cents per minute. I have about decided to just get a Skype number and pay monthly. Alternately, I'll just close any USA account that demands such type of 2FA to access. The truth is that my roots in America are rapidly withering. It may be another 2 years before I visit again as it's going now. 

 

Thanks for your post. It may save somebody a lot of grief. 

Link to post
Share on other sites

One easy check the OP and others can make with any suspect emails is to check the From address at the top of the email. Anything fake will invariably have something like [email protected] or some such nonsense. Of course, poor English is often a giveaway too, although I once received an email from my bank that had one example of poor English so I checked with them. It was indeed from them, so a case of the world becoming dumber and dumber. Another but less reliable check is if they use your name or simply 'Dear member etc'. If in doubt, do nowt. Or contact the 'sender' using their website contacts to check, as I did with my bank.

Link to post
Share on other sites
1 hour ago, salsajapan said:

 

 

I would not use any tool and I find ridiculous that people are not able to use different passwords for different websites.

It's so easy to set up a rule that allow to find each website password without having to remember it. Just remember the rule that is similar for all websites and that allow to create a different password based on this rule.

But it seems too difficult for most people, so funny 🙂

 

That reminds me of when I took a memory improvement course many years ago. I could not remember the rules I set up. True, not a joke.

Edited by GreasyFingers
Link to post
Share on other sites
34 minutes ago, RocketDog said:

In some cases I needed a check code they demanded to send to my USA phone number. Recently Comcast, my USA ISP, has terminated the VOIP service I was using so I no longer have a USA phone number. In any case, believe it or not, Comcsst/Xfinity never offered SMS service anyway. 

I had a similar problem with some Australian banks that could not accept an international phone number (their database was not adequate for this digital world). This was when my carrier Telstra stopped international roaming on pre paid accounts.

Link to post
Share on other sites
1 hour ago, GreasyFingers said:

I had a similar problem with some Australian banks that could not accept an international phone number (their database was not adequate for this digital world). This was when my carrier Telstra stopped international roaming on pre paid accounts.

It is interesting that such institutions have forced into a system that they cannot master themselves. I suppose one can call it growing pains but that doesn't make it any less frustrating. As I say, we do have the option of moving to institutions that are more successful in their implementations. 

Link to post
Share on other sites
1 hour ago, GreasyFingers said:

I had a similar problem with some Australian banks that could not accept an international phone number (their database was not adequate for this digital world). This was when my carrier Telstra stopped international roaming on pre paid accounts.

I use a credit union in Australia, they have a phone contact number to verbally verify online transfers with various security questions.

Latrobe Financial sends a SMS code to my Thai mobile for completing my login.

Phone calls to Australia from Thailand are very cheap, usually 20 - 40 baht.

As far as passwords go, every site that needs one has an individual password, the incomplete passwords are then stored in a LibreOffice file accessible only via a thumb drive. Example password: .S.........&. The OS on my laptop and desktop are MX Linux, hackers are focused on Microsoft and Mac. Decentraleyes, Privacy Badger, uBlock and Cookie Autodelete are also there.

Paranoid maybe, but as Kissinger said, even paranoids have enemies.

  • Like 1
Link to post
Share on other sites
On 4/24/2021 at 1:03 PM, Nakdontree said:

This is the normal behaviour of many websites after you've cleaned your browser cache (which you should do at least once a month, anyway).

Yes, it's clearing the cookies out that makes sites "forget" your login.

I run CCleaner daily. (See my above comment re: paranoia and OCD 😆)

Link to post
Share on other sites
4 hours ago, VBF said:

Yes, it's clearing the cookies out that makes sites "forget" your login.

 

Good thinking.  Some browsers would do this automatically if told to.  It's good to know all I need to do is restart the browser to clear the cookies. 

 

dff.png.aec423cdf18f0b2218eb7a76f6dfa888.png

 

There are also browser add-ons for clearing the cookies with a single click without exiting the session.

 

  • Like 1
  • Haha 1
Link to post
Share on other sites
15 hours ago, VBF said:

I just basically don't trust any of the available tools to be themselves secure. I don't believe they are 100% immune from hackers

I would rather keep my passwords in a secure local document and suffer slight inconvenience.

 

Clearly the only smart choices that it seems many do not understand.

But if you apply my rules system you do not need to write any password anywhere.

 

  • Like 1
Link to post
Share on other sites
16 minutes ago, salsajapan said:

 

Clearly the only smart choices that it seems many do not understand.

But if you apply my rules system you do not need to write any password anywhere.

 

Indeed such a smart thing to tell your rules so other uses it and hackers and crackers know it. The idea behind such a system is that you keep it quiet. 

 

 

  • Like 1
  • Haha 1
Link to post
Share on other sites
On 4/28/2021 at 12:30 PM, robblok said:

Indeed such a smart thing to tell your rules so other uses it and hackers and crackers know it. The idea behind such a system is that you keep it quiet. 

 

 

 

why people never learn to stop speaking when they are clearly wrong ?!

amazing !

 

  • Like 1
Link to post
Share on other sites
2 hours ago, salsajapan said:

why people never learn to stop speaking when they are clearly wrong ?!

because you are wrong here.

 

imagine a guy with email [email protected] is using a system "website name + 12345" for each website.

then a hacker downloads several large leaked databases and searches for this email:

from ashleymadison.com: [email protected];ashleymadison12345

from sugardaddy.com: [email protected];sugardaddy12345

from facebook.com: [email protected];facebook12345

 

guess which password is used by our smart ass guy on website thaifriendly.com?

  • Haha 2
Link to post
Share on other sites
On 4/29/2021 at 3:21 PM, fdsa said:

because you are wrong here.

 

imagine a guy with email [email protected] is using a system "website name + 12345" for each website.

then a hacker downloads several large leaked databases and searches for this email:

from ashleymadison.com: [email protected];ashleymadison12345

from sugardaddy.com: [email protected];sugardaddy12345

from facebook.com: [email protected];facebook12345

 

guess which password is used by our smart ass guy on website thaifriendly.com?

 

 

yes this is stupid, but who is idiot enough to use website name + 12345 ?

maybe it is what you would use ?

 

 

 

Link to post
Share on other sites

do not underestimate the amount of idiouts out there, go download any large leak and check how many people use passwords like 123456.

"website name + 12345" could be considered very secure compared to what I've seen.

  • Haha 1
Link to post
Share on other sites

Your passwords can be brilliant concoctions of dozens of symbols that are unbreakable. Won't do much for you though at the rate with which apps, companies and governments are getting virtually violated.

 

I'm still going to keep my passwords crazy, but I fully expect to get completely exposed online sooner or later. Two confidence reducing headlines from the last couple days:

 

Unsecure Apps: Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

 

Government cyber defense fails: 345,000 files from Filipino solicitor-general's office were breached

  • Haha 1
Link to post
Share on other sites
On 4/27/2021 at 4:05 AM, salsajapan said:

I am registered on hundreds websites...

my rules use special characters and numbers and capital letters, but when not available there is a backup rule that work when special characters or capital letters are not available...

 

yes ! correct ! you are so funny if you trust any tool / program where your passwords are stored, even encrypted....

See you again when you will post here whinning about your hacked passwords....

 

That works great until you have to change your password.  Like after a security breach, or just because you haven't logged in for ages.  Or, in many cases, because you're logging in from a different country and they make you reset your password. 

 

Then, you need another rule for websites where you're on your second or third password change.  And how do you remember which sites those are?

 

 

  • Haha 1
Link to post
Share on other sites
14 hours ago, fdsa said:

well, you are uncovering the much deeper issue: the apps, companies and governments are being built insecure from the very beginning and do not even want to become secure.

and the reason is: a human factor (ignorance multiplied by lack of competence plus overall lazyness).

Maybe China's got it figured out then: remove the human factor. 

 

Today's headline in Nikkei Asia: Robots will make doubling China's GDP by 2035 look easy

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...