1. Home
  2. Forums Index
  3. WebmasterWorld / Website Security for Webmasters 1:31 am Jun 29, 2026

Forum Moderators: open

Message Too Old, No Replies

Password Breach? at WebMasterWorld

security, password, breach, extortion emails

         

MikeGale

2:32 am on Oct 22, 2018 (gmt 0)

10+ Year Member



WebMasterWorld may have had it's password database breached.

Today I received one of those silly fake extortion emails.

It quoted a password. With some luck I was able to track that password down to one used on WebMasterWorld. That is the only place it was ever used. It's linked to my email.

I haven't used the site since about 2010, but I find that my account, with the compromised password is still active.

I'm safe and I've altered the password and will not use the site any time soon.

Others may not be so fortunate. Hence this warning.

So consider changing your password, if you sometimes use a common one across web sites and used it here your funeral and if you you can track down this or any fake extortion ring I suggest you DOX them so that decent humans can purify the planet a little.

Their message is akin to this:

My nickname in darknet is <soon-to-be-dead>.
I hacked this mailbox more than six months ago, through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time.

So, your password from <kill-all-extortionists@smashtheirbrainsin.com> is <ultra-secret-password>

Even if you changed the password after that - it does not matter, my virus intercepted all the caching data on your computer and automatically saved access for me.

I have access to all your accounts, social networks, email, browsing history.
Accordingly, I have the data of all your contacts, files from your computer, photos and videos.

I was most struck by the intimate content sites that you occasionally visit.
You have a very wild imagination, I tell you!

During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching.
Oh my god! You are so funny and excited!

I think that you do not want all your contacts to get these files, right?
If you are of the same opinion, then I think that $<Some-Number> is quite a fair price to destroy the dirt I created.

Send the above amount on my BTC wallet (bitcoin): <Some-GUID>
As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it.

Otherwise, these files and history of visiting sites will get all your contacts from your device.
Also, I'll send to everyone your contact access to your email and access logs, I have carefully saved it!

Since reading this letter you have 48 hours!
After your reading this message, I'll receive an automatic notification that you have seen the letter.

I hope I taught you a good lesson.
Do not be so nonchalant, please visit only to proven resources, and don't enter your passwords anywhere!
Good luck!

stever

11:04 am on Oct 23, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



>>Of course, I assume you've changed your passwords by now.
Yes, of course.

Optimal personal pw security these days is a confusing issue.

Like many here, I assume, I use a string of 'simpler' letters and numbers for forum accounts like this one or my team forum, to take a couple of examples where it doesn't really matter a whole heap if they were ever compromised. For web services or financial matters I use 'harder' generated pws. And each, whether 'harder' or 'simpler' is individual.

But even then, I and anyone else here is probably talking about 20-50 complicated and secure pws which are impossible for anyone to remember. So what do you do:
i) write them down somewhere (and, possibly, keep another insecure hard copy in case of house/office disaster)
ii) store them somewhere which may or may not be invulnerable to external access attempts (e.g. on an old computer which is never connected to the internet or to any other networks)
iii) use a commercial service or a master password programme and hope that they never get hacked
iv) log in with your FB or Google access details (as many sites appear to be appealing for you to do these days) and pray that hackers, government or FB/Google don't ever use those details for their own nefarious purposes or get hacked themselves

keyplyr

11:15 am on Oct 23, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I and anyone else here is probably talking about 20-50 complicated and secure pws which are impossible for anyone to remember. So what do you do...
I've written all my passwords down on a piece of paper, folded it up a few times and put it in an empty mayonaise jar. This jar was buried at midnight in an undisclosed location which I plan on rotating every few nights... and I was sure not to bury it under a full moon.

onlineleben

11:32 am on Oct 23, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Of course, I assume you've changed your passwords by now.

Sure :)
And not only here, but on a few other sites and the mail account that came through as well.
All after swiping my machine with whatever toolks I have

MikeGale

9:25 pm on Oct 23, 2018 (gmt 0)

10+ Year Member



Samizdata That's an important point. Could you look up the details, notification time / content, breach time / detailed report etc. Post it here. Then we can check instead of chasing shadows. (I didn't find a message or notes about that in my inbox on this server or on my local systems.)

stever That's very useful. Thanks for letting us know that you had a similar experience.

engine One thing that can be done is make the new password quickly identifiable. For example incorporate a string that identifies the site. That makes it easier to nail future breaches.

justpassing It's worth considering some of the problems, of getting involved with passwords. 0) I've had sites that force me to use weaker passwords (than I normally would), which, needless to say doesn't improve my opinion of them. 1) I've had sites (often) that have some algorithm for a "good password" that they don't explain next to the password entry field, I truly hate that. I sometimes enter a very strong password only to have some defective algorithm reject it as weak. Grrrr. 2) I've had a few sites that alter the capitalisation of the password that I enter. This utterly beggars belief. 3) I've had sites hounding me to change passwords on their cycle, which is intensely annoying. Say I'm overseas and very busy. Doubly so if I changed it a few days before. 4) If you nanny your users then you're assuming some responsibility for any mistakes that they make. Do you really want that?

If you live in NZ consider keeping the evidence and reporting to the police. They have some meaningful penalties and with any luck multiple reports might fine perpetrators into poverty. [cert.govt.nz ]

Samizdata

2:08 am on Oct 24, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I didn't find a message or notes about that in my inbox

My recollection is that the information was posted by Brett and pinned in the Active Post list.

I can't remember what year it was, but I did change my password as advised.

...

lucy24

3:53 am on Oct 24, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Obligatory link at this point in the discussion:

[xkcd.com...]

MikeGale

4:38 am on Oct 24, 2018 (gmt 0)

10+ Year Member



After a decade away from the blogosphere I re-entered and posted an article about making passwords more identifiable, should they leak. <snip>



[edited by: not2easy at 5:15 am (utc) on Oct 24, 2018]
[edit reason] Please Read ToS [/edit]

MikeGale

9:08 pm on Oct 24, 2018 (gmt 0)

10+ Year Member



There's been a second extortion attempt on same breach. Different text. Different Bitcoin wallet. Same password.

That'll probably the end of this for me.

I'll be pleased to see the breach details when they're published.

brotherhood of LAN

3:49 pm on Oct 25, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month




My recollection is that the information was posted by Brett and pinned in the Active Post list.

I can't remember what year it was, but I did change my password as advised.


I vaguely remember such a thing (and had searched my historical emails... notifications must've been in the forum only.

Makes sense as both members reporting WebmasterWorld specific passwords have been members for 15 years +

Samizdata

9:48 am on Oct 27, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Today I received one of those silly fake extortion emails.

Mine turned up today.

It used the password that I changed about ten years ago after Brett's warning post.

The email text was slightly different to the example posted above, but it was essentially the same.

I will not be parting with $837 in BitCoin anytime soon.

...

Jonesy

1:22 am on Oct 28, 2018 (gmt 0)

10+ Year Member Top Contributors Of The Month



Got one, too. A few day ago.

I have a wild-card email account. My WebmasterWorld email addy
is(was) a unique, not-used-anywhere-else email address.
The "silly fake extortion email" was sent to that that email address.
I have no memory of any spam ever being sent to that email addy.

The Subject: and the opening salutation was my unique,
not-used-anywhere-else WebmasterWorld password.

My think is that the slimeball was in possession of a cracker's database dump
without the meta information concerning what the emails/passwords were associated to.

I changed my password and my WebmasterWorld email addy,
and I soldier on.

Jonesy

lammert

7:01 pm on Oct 28, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I will not be parting with $837 in BitCoin anytime soon.

You are lucky. The request sent to me amounted $872. Both the email address and password used in the extortion email were unique for what I have used at WebmasterWorld.com. So the information was collected from this site directly or from password notification emails sent by WebmasterWorld in the past, not from any other place.

That said, the password was something I used about 10 years ago, so it seems to be pretty old data.

lammert

7:37 pm on Oct 28, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



As background, this is the discussion in 2011 where member pbreit is complaining about using plain passwords in WebmasterWorld notification emails: [webmasterworld.com...]

If you scroll down about 25 messages in that discussion, you will find a post where Brett acknowledges that since 1999 passwords have been stored in plain text. He also explains why that was--given the circumstances of that moment--the best way to manage passwords at the site.

I also remember the password drill thread initiated by Brett, but I can't find it with Google and I am not sure it was before or after the complaints by pbreit in 2011. Maybe that drill thread has never been indexed, or it could have been in one of the private sections of the site.

justpassing

10:42 pm on Oct 28, 2018 (gmt 0)

5+ Year Member Top Contributors Of The Month



stored in plain text.

the best way to manage passwords at the site.

:rolling eyes:

Samizdata

11:11 pm on Oct 28, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I also remember the password drill thread initiated by Brett, but I can't find it

My records suggest that it was no later than December 2008, so a good ten years ago.

As best I can remember, it was along the lines of "suspicious activity detected, password change strongly advised".

It seemed like good advice, I wouldn't want anyone posting in my name.

....

keyplyr

11:25 pm on Oct 28, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



rolling eyes
Roll your eyes if you want but in 2006 or 2007, I'm pretty sure most all forum passwords were stored in plain text unless the site was banking or other high security platforms. Silly to judge yesterday's practices with today's technology.

If you haven't updated your passwords since then, I don't know what to tell you.

RhinoFish

10:29 pm on Oct 29, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



The words you're looking for are "good luck".
:-)

keyplyr

10:55 pm on Oct 29, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



...and thanks for all the fish.

lucy24

11:00 pm on Oct 29, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



this is the discussion in 2011
Thanks, lammert. I looked but couldn't find it. (Finding ancient threads is not one of my skills. It's like having absolute pitch: you've either got it or you haven't.) I'd forgotten just how gratuitously vicious some of the replies were.

justpassing

4:01 pm on Oct 30, 2018 (gmt 0)

5+ Year Member Top Contributors Of The Month



if you want but in 2006 or 2007,

In 1995, I was already using hash to store passwords when building my first site, from my teen bedroom. This is something we've been taught in school.

I'm pretty sure most all forum passwords were stored in plain text

It's not because others are doing something that you have to do the same. There are two categories, the followers, who do like others without thinking, and the leaders who look ahead. I thought you would agreed to this.

Also, this is in 1978 that it was exposed the concept of storing password as hash , instead of plain text...
This 50 message thread spans 2 pages: 50
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Website Security for Webmasters 1:31 am Jun 29, 2026