Possible Email hacking.

[Guest CLARENCE]

A friend of my wife has just today phoned to tell us that she has had several emails apparently from us via Yahoo Mail, offering among other things to sell her Bitcoins. We know we haven't done this, so any ideas where they're coming from and how?

[john new]

Emails get harvested and used in scams. I bet if someone paid the amount the receiving destination of the payment wouldn't be your email address.

[PhilJ W]

This is a scam, just bin it.

[BR60103]

I had one a while back that seemed to come from me.

They revealed a password that I had used once to register a gift card at a donut (sic) shop.

[Ian J.]

Due to its age and the era when it was developed, the email system is imperfect - it unfortunately allows for 'spoofing' of email addresses. That is, it is possible to make it look like an email came from a different address to the one that actually sent it. Only by examining the 'headers' (normally hidden from view) is it possible to get some idea that it was spoofed.

Edited January 27, 2019 by Ian J.

[Edge]

Yes, I would not worry too much. I regularly get emails from myself blackmailing me for bitcoins to be paid to myself immediately otherwise I will show the world an embarrassing vid of myself.

 

Just ignore and take standard precautions like scanning your computer for malware (spybot is good at that) and changing your password to your email.

[JJGraphics]

A friend of my wife has just today phoned to tell us that she has had several emails apparently from us via Yahoo Mail, offering among other things to sell her Bitcoins. We know we haven't done this, so any ideas where they're coming from and how?

 

 

Don't worry about this . . . just tell your friend to delete them.

 

It is most likely that your address has been harvested from someone's PC or during one of the major data breaches that have happened to Yahoo in the past.

 

As with the telephone numbers used in scam calls, it is possible to spoof an e-mail address if you know how. If you are interested and know someone who is capable, it is usually possible to determine the actual address used to send the e-mail which will often be a strange one with .ru or .ro or else something completely bizarre at the end!

 

I would personally never use any of the mail services from Yahoo, GMail, Hotmail, etc., as I have seen the issues that people have with them far too often.

 

John

Edited January 27, 2019 by JJGraphics

[Harlequin]

Agreed with everything said above, apart perhaps from the advice not to use GMail or Hotmail. I don't think they are problematic themselves it's just that their email addresses were stored in third party databases and were leaked from there.

 

This has been said many times but: Don't trust any email from any source you're not expecting, no matter how official or convincing it looks, and never ever click on anything inside one of them. Simply delete it.

 

P.S. It's quite entertaining to judge the quality of the scam attempts: Bad spelling, bad grammar, missing graphics, mangling your name, links that clearly lead to a different address than they should do, the involvement of a Nigerian prince, etc., etc...

Edited January 27, 2019 by Harlequin

[PhilJ W]

Yes, I would not worry too much. I regularly get emails from myself blackmailing me for bitcoins to be paid to myself immediately otherwise I will show the world an embarrassing vid of myself.

 

Just ignore and take standard precautions like scanning your computer for malware (spybot is good at that) and changing your password to your email.

I've had one of those that went straight to my spam folder. Needless to say it was deleted forthwith.

[mezzoman253]

You can use https://haveibeenpwned.com/ to see if an account has been compromised at some stage.

 

If it comes up positive, just change your password.

 

Generally, the advice posted by other members is sound.

 

Rob

[PhilJ W]

You can use https://haveibeenpwned.com/ to see if an account has been compromised at some stage.

 

If it comes up positive, just change your password.

 

Generally, the advice posted by other members is sound.

 

Rob

Mine came up clear but has been cut and pasted once. I was aware of that anyway and took precautions.

[BR60103]

Yes, I would not worry too much. I regularly get emails from myself blackmailing me for bitcoins to be paid to myself immediately otherwise I will show the world an embarrassing vid of myself.

 

 

There will be a picture of you standing by a Great Western engine.

[Edge]

There will be a picture of you standing by a Great Western engine.

My uncle was a fireman on the Midland Region, so that's not out of the realms of possibility...

 

Ona  side note, its remarkable how this people have got a video of me through my webcam when i dont have one   

[PhilJ W]

You can use https://haveibeenpwned.com/ to see if an account has been compromised at some stage.

 

If it comes up positive, just change your password.

 

Generally, the advice posted by other members is sound.

 

Rob

I've also tried it on an old e-mail address. It came up as being hacked three times!   When I checked I found it had been closed by the IP.

[njee20]

Mine's on HIBP 7 times, it happens, one of those things.

 

The Pwned Passwords checker is probably more useful. You put your password in and it tells you if it's been exposed in a breach. No help if you don't have an unusual password (passw0rd has been seen 216,221 times!) , but obviously we're all using really long and unusual passwords aren't we? Ignore the advice that adding in non-alphanumeric characters helps, use long and unique passwords. A sentence, or series of words is perfect.

 

I can take comfort that none of the passwords for accounts I care about appear there.

[Ian J.]

Mine's on HIBP 7 times, it happens, one of those things.

 

The Pwned Passwords checker is probably more useful. You put your password in and it tells you if it's been exposed in a breach. No help if you don't have an unusual password (passw0rd has been seen 216,221 times!) , but obviously we're all using really long and unusual passwords aren't we? Ignore the advice that adding in non-alphanumeric characters helps, use long and unique passwords. A sentence, or series of words is perfect.

 

I can take comfort that none of the passwords for accounts I care about appear there.

 

It's not generally (if ever) a good idea to type any password into someone else's password checker...

[JJGraphics]

It's not generally (if ever) a good idea to type any password into someone else's password checker...

 

 

Absolutely!

 

NEVER do it, no exceptions. Keep your passwords to yourself!

 

John

[57xx]

On 1/28/2019 at 11:22 AM, njee20 said:

Ignore the advice that adding in non-alphanumeric characters helps

Why?

[njee20]

Primarily because it assumes a person will be trying to guess your password, and you'll therefore somehow flummox them by throwing in some exclamation marks and dollar signs. Obviously this is generally not the case, and therefore longer (and easier to remember) is better. Don't not add exclamation marks if you want, but don't think Pa$$W0rD! is materially harder to guess than password. Indeed, if you use How Secure is my Password you'll see times to crack:

Password: instant
Pa$$W0rD!: 4 weeks
longerpassword: 51 years
howaboutthisforasecurepassword: 2 septillion years

Summarised very eloquently by XKCD:

 

[Coryton]

8 minutes ago, njee20 said:

Primarily because it assumes a person will be trying to guess your password, and you'll therefore somehow flummox them by throwing in some exclamation marks and dollar signs. Obviously this is generally not the case, and therefore longer (and easier to remember) is better. Don't not add exclamation marks if you want, but don't think Pa$$W0rD! is materially harder to guess than password. Indeed, if you use How Secure is my Password you'll see times to crack:

Password: instant
Pa$$W0rD!: 4 weeks
longerpassword: 51 years
howaboutthisforasecurepassword: 2 septillion years

Summarised very eloquently by XKCD

If it gets "password" instantly then it must be using a dictionary, not just trying random character combinations.

It therefore seems odd to me that a string of 7 correctly spelled, common words, would take 2 septillion years.

(And I would say that 4 weeks is materially longer than instant - if someone has picked up a list of encrypted passwords, if they have to take 4 weeks on each one it's going to be quite a long job).

If not using words, throwing in non-alphanumeric characters increases the number of characters that a successful cracking program has to use, thereby slowing it down.

[TheQ]

No two sites I go onto have the same password. I use a formula to make a different one for each site. There are also 3 formulas,

the easiest is just forum passwords. (and I don't use my real name)

the next is for accounts where I buy things..

The hardest is for the credit card, it's the only place I use it, (but having a formula makes it for me easier to remember.)

I don't have account banking online..

As for the email account's unless Gmail and BT have been hacked they only have the account name not the password and of course they are different..

[njee20]

1 hour ago, Coryton said:

If it gets "password" instantly then it must be using a dictionary, not just trying random character combinations.

It therefore seems odd to me that a string of 7 correctly spelled, common words, would take 2 septillion years.

(And I would say that 4 weeks is materially longer than instant - if someone has picked up a list of encrypted passwords, if they have to take 4 weeks on each one it's going to be quite a long job).

 If not using words, throwing in non-alphanumeric characters increases the number of characters that a successful cracking program has to use, thereby slowing it down.

But making it longer is better than adding random characters (and far easier to remember), which was my point. A longer password with just letters will almost always be more secure than a shorter one with random characters, the reason is guesses password so quickly is because it's so common, so it's not so much that it's using a dictionary but that it may as well check all the really common choices first. I've never dug into the backend of how it works, it's just a useful illustration, feel free to ignore it entirely.

But yes, I'll admit i was surprised it made as much difference as it did, and I would agree with you that 4 weeks is better than 'instantly' :-)

FWIW I take a part of the site I'm registering for in my password, so I'd have PasswordWeb for here (for example). Unique passwords that are easy to remember. Or use a password manager.

Edited February 1, 2019 by njee20

[Coryton]

2 hours ago, njee20 said:

 the reason is guesses password so quickly is because it's so common, so it's not so much that it's using a dictionary but that it may as well check all the really common choices first. I've never dug into the backend of how it works, it's just a useful illustration, feel free to ignore it entirely.

But yes, I'll admit i was surprised it made as much difference as it did, and I would agree with you that 4 weeks is better than 'instantly' :-)

FWIW I take a part of the site I'm registering for in my password, so I'd have PasswordWeb for here (for example). Unique passwords that are easy to remember. Or use a password manager.

Password crackers used dictionaries when they first came into vogue. I'd be surprised if they had given that up now.

I think the main danger for most people is an encrypted password file from one site being stolen, or somebody making rapid repeated attempts on a service that doesn't do anything to prevent that. The most important thing is probably not using the same password anywhere. And I'm not convinced that many people would go through a stolen password list and bother with any that took 4 weeks to do, or try that long to get into a single account.

If someone is really determined to get into one particular account, they probably have better ways anyway.

I don't often disagree with Randall Munroe, but I don't think the assumption that nobody is going to run a password cracker that uses simple dictionary words is a good one. And there's a lot more typing involved his way...

[Ian J.]

I read this article years ago https://www.wired.co.uk/article/password-cracking and it was quite enlightening as to what is done to crack passwords. Basically, if you put at least one of each category of character - lower case; upper case; number; symbol - into your password, it ups the amount of processing required to figure it out. Short passwords are always easy, long passwords will always be harder, but having only letters and spaces (as per the example in a post further up) leaves things a bit too straightforward. Simple substitutions ($ for s, etc.,) are also too easy, so use unexpected substitutions, or add in a small invented word with substitutions in it to your phrase, to get the necessary number of character types in. This method can be used with a sentence from a book as well - "To be or not to be, that is the f@^k!g3st question." is very hard to crack as the invented word "f@^k!g3st" cannot be found in any dictionary. As each person would/should come up with their own invented words, then it's also practically impossible/worthless keeping a dictionary of them.

Edited February 5, 2019 by Ian J.

[njee20]

Well yes, but that just proves the point about being hard to remember. Can you honestly remember the order you typed those random characters in your made up word? 

 

As I’ve already said I’m not suggesting people don’t use random characters, but longer is still better. Longer with random characters best of all, but we’re cultivated to make passwords that are easy to guess and hard to remember. 

 

Or just use a password manager.