OH NO I'VE BEEN PWNED
-
So I get an email from "Have I been pwned?" that has a link to this page:
https://haveibeenpwned.com/account/ben.lubar%40gmail.com
This breach is from a site I've never heard of. Let's read the description.
GeekedIn: In August 2016, the technology recruitment site GeekedIn left a MongoDB database exposed and over 8M records were extracted by an unknown third party. The breached data was originally scraped from GitHub in violation of their terms of use and contained information exposed in public profiles, including over 1 million members' email addresses. Full details on the incident (including how impacted members can see their leaked data) are covered in the blog post on 8 million GitHub profiles were leaked from GeekedIn's MongoDB - here's how to see yours.
Compromised data: Email addresses, Geographic locations, Names, Professional skills, Usernames, Years of professional experience
So there was a website that violated GitHub's TOS to steal a bunch of public information, and then they lost that public information because they had a publicly accessible MongoDB server.
OH NO MY PUBLIC INFORMATION IS PUBLIC!
-
@ben_lubar said in OH NO I'VE BEEN PWNED:
So I get an email from "Have I been pwned?"
what a co-winky-dink
@ben_lubar said in OH NO I'VE BEEN PWNED:
This breach is from a site I've never heard of.
me too!
@ben_lubar said in OH NO I'VE BEEN PWNED:
OH NO MY PUBLIC INFORMATION IS PUBLIC!
you'd be surprised how many perople fail to grasp that concept.
it's nice to get the notification, if for no other reason that i can now expect a fresh onslaught of laughable spam as the collected email addresses from the breach make their ways into spam email lists.
-
@accalia said in OH NO I'VE BEEN PWNED:
@ben_lubar said in OH NO I'VE BEEN PWNED:
So I get an email from "Have I been pwned?"
what a co-winky-dink
@ben_lubar said in OH NO I'VE BEEN PWNED:
This breach is from a site I've never heard of.
me too!
@ben_lubar said in OH NO I'VE BEEN PWNED:
OH NO MY PUBLIC INFORMATION IS PUBLIC!
you'd be surprised how many perople fail to grasp that concept.
it's nice to get the notification, if for no other reason that i can now expect a fresh onslaught of laughable spam as the collected email addresses from the breach make their ways into spam email lists.
My email address was already public on GitHub as well as in like a billion other places, so I'm not worried about a sudden increase in spam because one obscure website also knows my email address.
-
@ben_lubar said in OH NO I'VE BEEN PWNED:
@accalia said in OH NO I'VE BEEN PWNED:
@ben_lubar said in OH NO I'VE BEEN PWNED:
So I get an email from "Have I been pwned?"
what a co-winky-dink
@ben_lubar said in OH NO I'VE BEEN PWNED:
This breach is from a site I've never heard of.
me too!
@ben_lubar said in OH NO I'VE BEEN PWNED:
OH NO MY PUBLIC INFORMATION IS PUBLIC!
you'd be surprised how many perople fail to grasp that concept.
it's nice to get the notification, if for no other reason that i can now expect a fresh onslaught of laughable spam as the collected email addresses from the breach make their ways into spam email lists.
My email address was already public on GitHub as well as in like a billion other places, so I'm not worried about a sudden increase in spam because one obscure website also knows my email address.
nah, that's not what i mean. i mean that breach just made it easy for spammers to get a giant new list of email addresses, also possibly enough public info to turn into a reasonable credible extortion letter through the clever use of mail merge.
i expect someone paid for the breach data (or got it themselves) and will use it to try and extort BTC out of me.
those spam messages make me laugh. a lot.
-
@ben_lubar said in OH NO I'VE BEEN PWNED:
My email address was already public on GitHub
Not everyone's emails are public, though. If you sign up for alerts, you get all the breaches. What do you want it to do?
-
@Yamikuronue said in OH NO I'VE BEEN PWNED:
@ben_lubar said in OH NO I'VE BEEN PWNED:
My email address was already public on GitHub
Not everyone's emails are public, though. If you sign up for alerts, you get all the breaches. What do you want it to do?
there's also that. it's a data breach, it got loaded into HIBP because it was a data breach (regardless of whether the source info was public or not) and you were signed up for alerts.
sounds like the system is working.
-
@ben_lubar said in OH NO I'VE BEEN PWNED:
I'm not worried about a sudden increase in spam because one obscure website also knows my email address.
And now we know it because your link to that site contains it !
You just pwned yourself
-
@TimeBandit said in OH NO I'VE BEEN PWNED:
@ben_lubar said in OH NO I'VE BEEN PWNED:
I'm not worried about a sudden increase in spam because one obscure website also knows my email address.
And now we know it because your link to that site contains it !
You just pwned yourself
Is your email address + password pwnd?
-
@Lorne-Kates said in OH NO I'VE BEEN PWNED:
Is your email address + password pwnd?
My password is *********
-
@TimeBandit said in OH NO I'VE BEEN PWNED:
@Lorne-Kates said in OH NO I'VE BEEN PWNED:
Is your email address + password pwnd?
My password is *********
My password is l86d3h8uDTEirWErKfCoJEFiFvZzDTl6FN0zBLnCHZA17Rz1O32aV3R5tgU9qBx.
It's not a password for anything, but it's mine.
-
@ben_lubar said in OH NO I'VE BEEN PWNED:
My password is l86d3h8uDTEirWErKfCoJEFiFvZzDTl6FN0zBLnCHZA17Rz1O32aV3R5tgU9qBx.
Wow, salty.
-
@ben_lubar said in OH NO I'VE BEEN PWNED:
@TimeBandit said in OH NO I'VE BEEN PWNED:
@Lorne-Kates said in OH NO I'VE BEEN PWNED:
Is your email address + password pwnd?
My password is *********
My password is l86d3h8uDTEirWErKfCoJEFiFvZzDTl6FN0zBLnCHZA17Rz1O32aV3R5tgU9qBx.
It's not a password for anything, but it's mine.
You're probably one of those people who wastes UUIDs, aren't you.
-
@TimeBandit hunter1
-
-
@pydsigner said in OH NO I'VE BEEN PWNED:
You're probably one of those people who wastes UUIDs, aren't you.
uuidgen -n1000
-
@dcon you.... you monster!
-
@Lorne-Kates said in OH NO I'VE BEEN PWNED:
@ben_lubar said in OH NO I'VE BEEN PWNED:
My password is l86d3h8uDTEirWErKfCoJEFiFvZzDTl6FN0zBLnCHZA17Rz1O32aV3R5tgU9qBx.
Wow, salty.
YOU PERVERT!
-
@royal_poet said in OH NO I'VE BEEN PWNED:
@TimeBandit hunter1
Doesn't work on my machine, try changing your password to ******.
Edit: I mean "hunter [no space] 2", grr.
-
@ben_lubar, just wait till someone sends you an email threatening to pwn you even more!
-
-
thanks
-
@ben_lubar said in OH NO I'VE BEEN PWNED:
thanks
Hey, don't pwn me for pwning you!
And please don't share my secret email address with the INTERNETS!
-
I just checked mine and it says that I got pwned in 2008 by a MySpace leak. Which is really weird since I never had a MySpace account …
-
@abarker said in OH NO I'VE BEEN PWNED:
I just checked mine and it says that I got pwned in 2008 by a MySpace leak. Which is really weird since I never had a MySpace account …
Did you ever use your email address to leave a "guest" comment on someone else's MySpace account?
-
@anotherusername I don't think I've ever even been to MySpace.
-
@abarker said in OH NO I'VE BEEN PWNED:
I don't think I've ever even been to MySpace.
Nothing ventured, nothing lost.
-
@abarker Good thing, too, because Everyone Knows that only pedobear and his cronies hang out on MySpace. No children, just pedophiles. Sort of a virtual bar for swapping stories of the kids they diddled, I guess... sure, that makes sense. So warn everyone who might have a child, know a child, or meet a child at some point in the future not to go there, quick!
Filed Under: is this
memessarcasm?
-
@accalia said in OH NO I'VE BEEN PWNED:
you'd be surprised how many perople fail to grasp that concept.
I once was interested in seeing what I could find out about a random person on the internet.
With one google search, I found where they worked, where they lived, the fact that they were selling their house, the fact that they lived with a guy that runs a computer repair service out of that house, where they went to school, etc. etc.
And that was from the first three results after typing in their name.
I'm pretty sure social security and bank account was on page two.
-
I'm waiting for when haveibeenpwned.com tells you that, yes, you have indeed been pwned because of a data breach at haveibeenpwned.com.
-
@xaade said in OH NO I'VE BEEN PWNED:
I'm pretty sure social security and bank account was on page two.
Page 2 of a Google search is the most secure place on the internet
-
@kt_ said in OH NO I'VE BEEN PWNED:
my secret email address
Is GMX any good? I was considering them for a while before I eventually settled on Fastmail (who definitely are any good but cost moneys).
-
@flabdablet said in OH NO I'VE BEEN PWNED:
@kt_ said in OH NO I'VE BEEN PWNED:
my secret email address
Is GMX any good? I was considering them for a while before I eventually settled on Fastmail (who definitely are any good but cost moneys).
I wouldn't know. I use them as disposable mail for sites that don't accept guerrillamail addresses.
-
@cvi I know we've all seen this before, but this quote seems apropos here:
Here are the secret rules of the internet: five minutes after you open a web browser for the first time, a kid in Russia has your social security number. Did you sign up for something? A computer at the NSA now automatically tracks your physical location for the rest of your life. Sent an email? Your email address just went up on a billboard in Nigeria.
-
@ScholRLEA said in OH NO I'VE BEEN PWNED:
five minutes after you open a web browser for the first time, a kid in Russia has your social security number
I'm pretty certain I've never entered that into a browser on this computer. But then we don't use SSNs nearly so much in the UK; the fixation with them appears to be a US thing.
-
@ScholRLEA It's been a while, so I re-read it. The following passage caught my attention this time around:
Eventually every programmer wakes up and before they're fully conscious they see their whole world and every relationship in it as chunks of code,
Sort of happened to me a few times recently, so yay me?
-
Shit, it says my email was leaked by
Dropbox
LinkedIn
GeekedIn
Last.fm
-
@fbmac said in OH NO I'VE BEEN PWNED:
Shit, it says my email was leaked by
Dropbox
LinkedIn
GeekedIn
Last.fmOh shit! Better delete that email account!
-
Let's see for me...
000webhost - yeah, not surprising but hey ho, they got my old old IP, my password of "password" and, uh, my name which you can find if you have my email address.
Adobe - yeah, not surprising but again, you guys learned that for a trial account IDGAF about, has a password of "password" or similar
Patreon - no private messages, you can find out I subscribed to one channel for a few months, woo.
Tumblr - wtf. I have a Tumblr account? Wait, it turns out I did indeed have a Tumblr account and it has a unique password that even I don't remember.
vBulletin - shocker. Fortunately, unique password.
Go me.
-
For my old Gmail account:
Adobe: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced.
Compromised data: Email addresses, Password hints, Passwords, Usernames
Meh. It would have been a long, unique, KeePass-generated random password so any kind of hashing scheme, even a pants-on-head Adobe one, won't have been cracked. Even if it was, the only reason I ever had an Adobe account was to get permission to redistribute Flash Player over the school LAN. I so don't care.
-
@flabdablet said in OH NO I'VE BEEN PWNED:
hashing scheme
They didn't say hashed.
They say encrypted.
:ROT13.pdf:
-
@Lorne-Kates don't forget the oldie-but-goodie: base-64 encrypted.
If base-64 encryption is good, just think how much better base-256 encryption would be.
-
@anotherusername said in OH NO I'VE BEEN PWNED:
If base-64 encryption is good, just think how much better base-256 encryption would be.
<calculates>
4 times better?
-
@dkf well, it allows you to store the encrypted information 4 times more densely, so... yes!
(edit: yes, I know that's not true either.)
-
@anotherusername said in OH NO I'VE BEEN PWNED:
well, it allows you to store the encrypted information 4 times more densely, so... yes!
4 times more
denselystupidly…? Maybe!
-
@Lorne-Kates said in OH NO I'VE BEEN PWNED:
:ROT13.pdf:
ROT13 is easily cracked.
You have to encrypt it twice. ROT26 is twice better.
-
I am quite sure that haveibeenpwned is not legit, despite hearing about it from several sources. I've played with it a bit and entered email addresses that could not be used (try example.com and other impossibly long and random domains) and some are shown as pwned.
I also entered one of my "junk" email addresses and it some sites, including MySpace, which I have never used other than browsing a few public pages there. (I was never interested enough to seriously look at that site.)
So either the pwn people are incredibly sloppy in how they detect email addresses, or they are trying to scare everyone to drum up news and are collecting addresses to send spam to them.
-
@quijibo said in OH NO I'VE BEEN PWNED:
I am quite sure that haveibeenpwned is not legit, despite hearing about it from several sources. I've played with it a bit and entered email addresses that could not be used (try example.com and other impossibly long and random domains) and some are shown as pwned.
I also entered one of my "junk" email addresses and it some sites, including MySpace, which I have never used other than browsing a few public pages there. (I was never interested enough to seriously look at that site.)
So either the pwn people are incredibly sloppy in how they detect email addresses, or they are trying to scare everyone to drum up news and are collecting addresses to send spam to them.
I'm convinced they are legit. I typed in a few of my email addresses and the info checks out.
Also I rarely use the same email address between sites, so it's a little hard for me to check my emails on this site.
Also @ben_lubar, do you not have a dropbox account?
-
@dangeRuss said in OH NO I'VE BEEN PWNED:
Also @ben_lubar, do you not have a dropbox account?
https://haveibeenpwned.com/account/nightgunner5@llamaslayers.net
I wasn't using that email address when the breach happened.
-
@ben_lubar said in OH NO I'VE BEEN PWNED:
@dangeRuss said in OH NO I'VE BEEN PWNED:
Also @ben_lubar, do you not have a dropbox account?
https://haveibeenpwned.com/account/nightgunner5@llamaslayers.net
I wasn't using that email address when the breach happened.
So you were listening to music back then?
--
Filed under: Probably nobody to get the reference.
-
@dkf said in OH NO I'VE BEEN PWNED:
@anotherusername said in OH NO I'VE BEEN PWNED:
well, it allows you to store the encrypted information 4 times more densely, so... yes!
4 times more
denselystupidly…? Maybe!Things that are almost, but not quite, entirely untrue