[A Demon Llama!]

Just reading Reddit and I there is yet another leak of email (Gmail) usernames and possibly passwords.

Thought that we could make a thread here and post such events for the people that might not read or visit websites in time to secure themselves or maybe just missed it. Its better to take precautionary measures that regret it later.

So this time Gmail leak. Link to Article Link to Reddit comments

A few things from the reddit thread. Here you can download the whole list of usernames that have been leaked (might take some time to open, txt file)

Also if you use any of these passwords, fucken change em.

If you are on the list there change your passwords just in case and everyone should set up the two step authentication on Gmail and other email they use. Its easy.

[Tiste Simeon]

Top comment on reddit:

Quote

Please downvote this back to oblivion where it belongs. It is an aggregation of email addresses they got from hacking certain sites, specifically
bravenet, filesavr, policeauctions, freebiejeebies, bryce, savage, savage2, bioware, friendster, eharmony, daz, daz3d, filedropper, and xtube (and maybe some others)
It is demeaning to Google's excellent security to say "ooooh hackers got yo gmail address and passwords!" when in reality this is "some person got a bunch of hacked emails from various crappy websites, removed all the non-gmail ones, and published it". [edit: there is a version with passwords, but those passwords belong to the crappy websites as far as I've seen]
Of course if you use a similar password for your gmail and another site, you 'deserve' to get hacked if you've ever been informed of basic password security (i.e. you should never use the same password for important sites).
I personally would be more concerned if I had provided shipping address or real name or other info to any of those sites, which could be used for identity theft or linked with my account (but which were not published).

edit:
Most likely a bunch of websites got broken into. If you're worried you are maybe in the 1% of people who had some random account on some random website compromised (or maybe got hacked because you logged into gmail at some internet cafe or a friend's computer... don't do that), you could hypothetically download the list of compromised emails in that thread (mega.co.nz, not the piratebay) and do a search for your own email. It's probably legal since the passwords are not in the same file and email addresses are public information, but don't take my word for it.
edit2:
oh hey, this is top comment... um... tell your little siblings not to use the same password for gmail/bank/etc., don't log in on hardware you don't own even if you have 2-factor authentication (a good thing, turn that on...), check to make sure you aren't being phished by a page which mimics the look of gmail saying "you've been logged off put in your password", turn on email credit card alerts, um.... stuff
only somewhat relevant: http://preshing.com/...word-generator/ "through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember but easy for computers to guess"
websites are really bad at security; expect that most websites you use will be hacked and everything leaked =(

[A Demon Llama!]

Either way better to be informed that not. If it is a true hack rather than just gathering of emails addresses changing your password and activating more security wont do any harm.

[Gredfallan Ale]

A Demon Llama!, on 10 September 2014 - 09:25 PM, said:

Either way better to be informed that not. If it is a true hack rather than just gathering of emails addresses changing your password and activating more security wont do any harm.

It doesn't matter whether or not it's a real Google-hack (it probably isn't), as it's not just gathering e-mail addresses. The most likely scenario is that the attackers gained access to email addresses used for certain websites, with inclusion of the passwords those people used on that website. As a lot of people use the same or related passwords for different websites, you can be quite certain that subset of that list contains valid Google login credentials.

If you use the same password everywhere, only one of those websites needs to be breached for someone to gain access to most of your accounts.

Or consider this guy:


xkcd 792: Password Reuse

[Malaclypse]

Ran out of rep, sorry - awesome comic!

This post has been edited by Malaclypse: 12 September 2014 - 10:51 AM

[Silencer]

It's an unfortunate problem with the web.


You are supposed to never write down your passwords.
You are also supposed to come up with in excess of five, possibly many times that, hard to crack passwords, which you are then supposed to change every three to six months, remember which password belongs to which site(s), and so on and so forth.

Meanwhile, many sites use the (ineffective) password requirements that most people have come to hate - at least 8 characters, including at least one lower case, upper case, number, symbol, blah blah blah. Which not only provides little extra security but makes passwords exponentially harder to remember - it's easy to suggest 'variations', but when you've got at least three essential services with unique passwords, all the others tend to get lost in the blur of barely-used sites with similar-but-more-different-than-the-number-of-options-you-can-try passwords.

You can adopt a tiered system; e.g. work, email, bank, Facebook, PC login, phone = unique, strong passwords; anything else gets something generic but relatively easy to remember for you, yet long and with those pesky requirements taken care of. The problems comes with ever-increasing numbers of systems that need to be put into the first tier, as well as an easily compromised second-tier network which can still cause you problems. (E.g. Got a Steam account? That needs to be first tier. Use Amazon? Again, first-tier. That's already eight unique, "strong" passwords you need to remember and change regularly....)


Frankly, we need a better system. Never mind that under the current trend, if your email does get compromised, 90% of your other services will also be at risk (unless you use disposable emails to sign up to things - but that just further complicates the password tango) as people can just try "reset password" on various services once they have your email.


Add into that the staggering amount of people not even using basic antivirus software on their smartphones....


Blegh.

[Illuyankas]

Smartphone virus protection is something that people simply don't talk about, isn't advertised enough or even seen as a thing by a lot of people.

[Gredfallan Ale]

Basically, we're in desperate need for widespread use of different security models like two-step authentication. Responsible password or passphrase behavior just doesn't work that well for most people, as it's just not that compatible with our memory.

The system I use is pretty simple, I use a password manager with random passwords for what Silencer calls the lower-tiered websites. If the file is somehow breached, that only compromises "fun" accounts, like this forum. For more important websites, I use unique, strong (random generated) passwords that I painstakingly learn by heart (brain...). This minimizes the chance of one server leak spilling over to my other accounts.

The only frustrating part of this is logistics: Without that file, I can't access most of the websites I frequent, only the first tier websites.

This post has been edited by Gredfallan Ale: 12 September 2014 - 12:39 PM

[drinksinbars]

i would recommend writing passwords down simply to combat the requirement for having disposable passwords. dont write the user names down, if you have a hand written password stored at home in a secure location without the usernames associated and update that its highly unlikely someone will be able to steal them, or would even look for them. what is a burglar going to steal, a tv or laptop, or a small notebook on a shelf?

also although i use android i do not use apps on my phone or mobile data, but if your going to use lots of net based things on a smart phone, windows phones are most secure as their apps are signed. very difficult to have secure content on phones if you are online all the time using apps that could be written by and published by anyone.

posting in social media details about your life is an easy way to get hacked as msot security questions for sensible things like money transactions etc and proof of identity are little more than your date of birth or your mothers maiden name. people just need to be sinsible and take reaonable precautions.

[Dadding]

Try using 1password, it's secure and makes life a lot easier.

[Whisperzzzzzzz]

Silencer, on 12 September 2014 - 11:39 AM, said:

Add into that the staggering amount of people not even using basic antivirus software on their smartphones....


Blegh.

I understand the need, but most mobile solutions either appear to me to be bloaty or useless. Any recommendations? Especially for one that doesn't require an ongoing notification...

[Macros]

I haven't looked into mobile security, I probably should as I work off my phone quite a bit now.
Anyone have any experience on that front for windows phone?

[Vengeance]

drinksinbars, on 12 September 2014 - 12:48 PM, said:

i would recommend writing passwords down simply to combat the requirement for having disposable passwords. dont write the user names down, if you have a hand written password stored at home in a secure location without the usernames associated and update that its highly unlikely someone will be able to steal them, or would even look for them. what is a burglar going to steal, a tv or laptop, or a small notebook on a shelf?

also although i use android i do not use apps on my phone or mobile data, but if your going to use lots of net based things on a smart phone, windows phones are most secure as their apps are signed. very difficult to have secure content on phones if you are online all the time using apps that could be written by and published by anyone.

posting in social media details about your life is an easy way to get hacked as msot security questions for sensible things like money transactions etc and proof of identity are little more than your date of birth or your mothers maiden name. people just need to be sinsible and take reaonable precautions.

My god you actually exist and weren't just a figment of my imagination and Morgy's nightmares.

[A Demon Llama!]

I know there's Avira and malwarebytes for android. I have both installed on my PC. I'm sure they are also available for windows phone. I would recommend these if they are as effective on a phone as on my computer.

[worry]

Huh. So security-wise, we should be doing more than keeping our nudes in a folder marked Diff'rent Strokes FanFic? You learn something new every day.

[Gnaw]

Another appropriate XKCD

[drinksinbars]

Vengeance, on 12 September 2014 - 05:42 PM, said:

drinksinbars, on 12 September 2014 - 12:48 PM, said:

i would recommend writing passwords down simply to combat the requirement for having disposable passwords. dont write the user names down, if you have a hand written password stored at home in a secure location without the usernames associated and update that its highly unlikely someone will be able to steal them, or would even look for them. what is a burglar going to steal, a tv or laptop, or a small notebook on a shelf?

also although i use android i do not use apps on my phone or mobile data, but if your going to use lots of net based things on a smart phone, windows phones are most secure as their apps are signed. very difficult to have secure content on phones if you are online all the time using apps that could be written by and published by anyone.

posting in social media details about your life is an easy way to get hacked as msot security questions for sensible things like money transactions etc and proof of identity are little more than your date of birth or your mothers maiden name. people just need to be sinsible and take reaonable precautions.

My god you actually exist and weren't just a figment of my imagination and Morgy's nightmares.

no no, you wrote this post while drunk, now your high

[Vengeance]

drinksinbars, on 22 September 2014 - 09:09 AM, said:

Vengeance, on 12 September 2014 - 05:42 PM, said:

drinksinbars, on 12 September 2014 - 12:48 PM, said:

i would recommend writing passwords down simply to combat the requirement for having disposable passwords. dont write the user names down, if you have a hand written password stored at home in a secure location without the usernames associated and update that its highly unlikely someone will be able to steal them, or would even look for them. what is a burglar going to steal, a tv or laptop, or a small notebook on a shelf?

also although i use android i do not use apps on my phone or mobile data, but if your going to use lots of net based things on a smart phone, windows phones are most secure as their apps are signed. very difficult to have secure content on phones if you are online all the time using apps that could be written by and published by anyone.

posting in social media details about your life is an easy way to get hacked as msot security questions for sensible things like money transactions etc and proof of identity are little more than your date of birth or your mothers maiden name. people just need to be sinsible and take reaonable precautions.

My god you actually exist and weren't just a figment of my imagination and Morgy's nightmares.

no no, you wrote this post while drunk, now your high

Yeah and?

[Tapper]

drinksinbars, on 22 September 2014 - 09:09 AM, said:

Vengeance, on 12 September 2014 - 05:42 PM, said:

drinksinbars, on 12 September 2014 - 12:48 PM, said:

i would recommend writing passwords down simply to combat the requirement for having disposable passwords. dont write the user names down, if you have a hand written password stored at home in a secure location without the usernames associated and update that its highly unlikely someone will be able to steal them, or would even look for them. what is a burglar going to steal, a tv or laptop, or a small notebook on a shelf?

also although i use android i do not use apps on my phone or mobile data, but if your going to use lots of net based things on a smart phone, windows phones are most secure as their apps are signed. very difficult to have secure content on phones if you are online all the time using apps that could be written by and published by anyone.

posting in social media details about your life is an easy way to get hacked as msot security questions for sensible things like money transactions etc and proof of identity are little more than your date of birth or your mothers maiden name. people just need to be sinsible and take reaonable precautions.

My god you actually exist and weren't just a figment of my imagination and Morgy's nightmares.

no no, you wrote this post while drunk, now your high

It sure is good to see you here again!