Welcome to WebmasterWorld Guest from 35.175.120.174

Forum Moderators: open

Message Too Old, No Replies

Password Breach? at WebMasterWorld

security, password, breach, extortion emails

     
2:32 am on Oct 22, 2018 (gmt 0)

New User

10+ Year Member

joined:Oct 30, 2003
posts: 22
votes: 8


WebMasterWorld may have had it's password database breached.

Today I received one of those silly fake extortion emails.

It quoted a password. With some luck I was able to track that password down to one used on WebMasterWorld. That is the only place it was ever used. It's linked to my email.

I haven't used the site since about 2010, but I find that my account, with the compromised password is still active.

I'm safe and I've altered the password and will not use the site any time soon.

Others may not be so fortunate. Hence this warning.

So consider changing your password, if you sometimes use a common one across web sites and used it here your funeral and if you you can track down this or any fake extortion ring I suggest you DOX them so that decent humans can purify the planet a little.

Their message is akin to this:

My nickname in darknet is <soon-to-be-dead>.
I hacked this mailbox more than six months ago, through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time.

So, your password from <kill-all-extortionists@smashtheirbrainsin.com> is <ultra-secret-password>

Even if you changed the password after that - it does not matter, my virus intercepted all the caching data on your computer and automatically saved access for me.

I have access to all your accounts, social networks, email, browsing history.
Accordingly, I have the data of all your contacts, files from your computer, photos and videos.

I was most struck by the intimate content sites that you occasionally visit.
You have a very wild imagination, I tell you!

During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching.
Oh my god! You are so funny and excited!

I think that you do not want all your contacts to get these files, right?
If you are of the same opinion, then I think that $<Some-Number> is quite a fair price to destroy the dirt I created.

Send the above amount on my BTC wallet (bitcoin): <Some-GUID>
As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it.

Otherwise, these files and history of visiting sites will get all your contacts from your device.
Also, I'll send to everyone your contact access to your email and access logs, I have carefully saved it!

Since reading this letter you have 48 hours!
After your reading this message, I'll receive an automatic notification that you have seen the letter.

I hope I taught you a good lesson.
Do not be so nonchalant, please visit only to proven resources, and don't enter your passwords anywhere!
Good luck!
2:59 am on Oct 22, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Total BS. I've received that and similar emails for years. Only thing is, I have no camera.

They seem to have increased in 2018. It's just phishing.
4:10 am on Oct 22, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10572
votes: 1125


People like to think their passwords are unique ... but sadly that's not true. This is "unique" (example):

aB2zgxfhi34!o09xhjy4pC67mq

And you should have every login completely different at least that long, if not longer. :)
4:39 am on Oct 22, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


I change my passwords often. I never save passwords to browsers either. That always seemed like an unwise idea.
4:54 am on Oct 22, 2018 (gmt 0)

New User

10+ Year Member

joined:Oct 30, 2003
posts: 22
votes: 8


Yea keyplyr of course they're complete BS, but in this case we know exactly where they got their data, here. (The current crop thinks they're clever by quoting a password, in this case an actual password. I have a feeling that some people may be taken in. I've had people come to me recently quite concerned about the latest crop. They're sending them on an industrial scale.)

tangor, maybe you didn't read the original post, this was a unique and hard to guess password (I only ever used it once). If you look at password cracking programs you'll see that, given enough determination by the attackers, nothing is safe. Fortunately it costs to crack good ones.

keyplyr agreed saving in a browser is often not a good idea. You've got to weight it up. Only ever do that if it's not too important. I consider using online password safes in a similar way.
5:14 am on Oct 22, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


OK I get your point. Thanks for coming here and reporting it.

I've heard tales of dark web chat rooms where compromised info is traded/sold daily. The phisher may not even know where the info came from.
7:34 am on Oct 22, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts: 355
votes: 71


It's just phishing.

It would be IF they were not showing a real password ... In the example above, this is not just random emails sent with random common passwords. If the OP had received hundreds of similar mails with different passwords unrelated to those he would have used, then okay, ... but here, he received ONE email, with a "correct" password. The probability that hackers find a correct password, event common word, with just one attempt is near zero. So yes, they, somehow, obtained the pair Email / Password.

Password has to be stored has an irreversible hash, any other method of storing passwords would be extremely amateur. That being said, I doubt that WebmasterWorld stores or has ever stored passwords in plain text, isn't it ?

ps: this site [haveibeenpwned.com...] can tell if your email / password has been part of known breached.
7:48 am on Oct 22, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:5046
votes: 60


I've had those extortion emails, as said in 2018 there seems to be loads more.

They quoted one of my 'throwaway' passwords, which isn't my WebmasterWorld one, so some random website I signed up for but didn't particularly value has been hacked.

Password has to be stored has an irreversible hash, any other method of storing passwords would be extremely amateur. That being said, I doubt that WebmasterWorld stores or has ever stored passwords in plain text, isn't it ?


Brute forcing leaked databases is a sport for some people. It's especially easier if there isn't a salt on a per-password level. Any password that's less than 8-9 characters and using the likes of SHA-1 is pretty trivial to brute force on a GPU nowadays. These extortion emails don't really indicate whether their data source was plain-passwords, encrypted, or anything.
8:21 am on Oct 22, 2018 (gmt 0)

New User

10+ Year Member

joined:Oct 30, 2003
posts: 22
votes: 8


justpassing I've been nuking the emails for a while. Today I saw somebody who received a genuine password (they use unique passwords so not that big a deal), and decided (for the first time) to check out the next email that I got. Sure enough I collected email and there was one. By chance I found it quickly. It looks like a WebMasterWorld leak.

A quick search suggested that there is no known breach at WeMaWo, so I made this post.

How it was done is best determined in conjunction with those who programmed the password store and all its versions. Hopefully that will be forthcoming.

My sense is that somebody has breached a lot of password stores and is now running an amateurish campaign to cash in on that. The bigger danger is that smarter people have also grabbed the passwords and will do more serious harm. (If they hadn't before, some certainly will be grabbing those password stores now.)

Given the array of tools out there to crack passwords, I'm guessing that many people on these forums could get themselves going with an operation like this in a few days. It's a clear and present danger.

brotherhood of LAN My current suspicion is that they have loads of password dumps, so any individual may get several of these emails. If they have adhered to a password per sign-up they may be different but all correct. If you have several of these emails you might be able to investigate further and help. Ideally participate in their extermination.

An IDEA: Take your safe password and add some identifier to it so that you can quickly identify "genuine leaks". Put another way: If your password on WebMasterWorld were "Vu2:\#6St\bq&2XbI4\J" you could change it to "WeMaWoVu2:\#6St\bq&2XbI4\J". That would help you quickly identify where it might have come from.
8:23 am on Oct 22, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:355
votes: 71


SHA-1 is obsolete since 2005,
salt is something also common since the end of the 90's, hashing functions even automatically add a sal (eg. PHP 's password hash function adds a different salt automatically since 2004)
8:30 am on Oct 22, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


It's just phishing.

It would be IF they were not showing a real password
Not what I meant. Phishing to see who takes the bait by responding, then they have you playing on their terms.

I've been deleting them without consequence. I did send them to FTC but got tired of even doing that.
8:51 am on Oct 22, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:5046
votes: 60


SHA-1 is obsolete since 2005, salt is something also common since the end of the 90's, hashing functions even automatically add a sal (eg. PHP 's password hash function adds a different salt automatically since 2004)


Well it sure sounds like you're familiar with best practices. Your post sounded like you assumed the plaintext passwords in email situation could only come from databases storing them the same way.
9:16 am on Oct 22, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:355
votes: 71


Your post sounded like you assumed the plaintext passwords in email situation could only come from databases storing them the same way.

No, I said:
That being said, I doubt that WebmasterWorld stores or has ever stored passwords in plain text, isn't it ?

There are plenty of other ways to steal information, for example, a compromised mail server, a compromised network equipment (this is why everybody should use HTTPS), a compromised computer (client side), etc... This can also be when someone changes his server, and doesn't wipe the hard disk or SSD enough times, the next users can recover the data (when I take a server, I a recovery utility, just by curiosity, and you'll be surprised to see how much data you can get from the previous user(s)), even if the database is encrypted and password hashed, their can still be copies of mails sent (this is why a good practice is to never send a password by email to a user, even during the registration email).

If it was a breach at the level of WW I think that all users (or those registered before a given date) would have received this email, with their WW password in.(but if this is brute force de-hashing then it sure can take years ... )
10:14 am on Oct 22, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2091
votes: 370


this was a unique and hard to guess password

How "unique" was it? Can you exemplify? And can you be 100% sure it was only used for your account here?
11:41 am on Oct 22, 2018 (gmt 0)

New User

10+ Year Member

joined:Oct 30, 2003
posts: 22
votes: 8


Absolutely guaranteed unique and not "a normal word". Not used elsewhere.
12:00 pm on Oct 22, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:5046
votes: 60


You should be able to share it, I assume you've already changed it and it wouldn't make any other accounts you have elsewhere more guessable
12:34 pm on Oct 22, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Might be a good idea for everyone to update their password.
1:23 pm on Oct 22, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2091
votes: 370


Crime pays: half a Bitcoin has already been sent to the wallet address listed in that particular e-mail (copies of which can be found elsewhere).

Was it the password you used when you signed up in 2003?

Those were (mostly) pre-HTTPS days. It could be that your e-mail and password were harvested by means other than a breach here.
7:34 pm on Oct 22, 2018 (gmt 0)

New User

10+ Year Member

joined:Oct 30, 2003
posts: 22
votes: 8


I'd advise people to be pretty careful about describing anything about their security practices, in public. (As a few are trying to do here.)

1. This information is public.
2. The forces against you are becoming more organised. Like they seem to be persistent. Like they are moving toward having individualised databases (much like the US political parties have databases on just about every US voter, their voting record etc., advertisers have done the same worldwide, also the criminals).
3. Individual encrypted communications would be a lot better, but so few are interested in doing this really simple thing.

In an unborked world some of this conversation, if it were, for some reason, forced into the open would look more like this:

"-----BEGIN PGP MESSAGE-----
Version: GnuPG v2

hQEMA8QeWcfrOZ/XAQf+LdgD7tZQMzJq8eLVzD3SBxKogL0loDyvbIdxQ+Se11eg
k96h44bKnmFBk6z0sRZXXmhYlzDBT3gXsy3Kja8w8Dysun5nocmYQFcGtrBNzWmq
EnvdOv54UVKCvKf7OOOjELoscH3H2tIVqSPEcX0dPkxZ4XPnMKp/U5eaqr+ETv4/
GvY3bMAlHvKqfWd5BDhiMnIfg+8O6CtaKliI1QYvCtvu9DHl9XUU59NIxa+NKMsY
nLe0fwzhfmdK8Yjr8Q4Ayl51gS2olEGgRFxpZRNjrvtv6M6nSZHK46SZ5o3QfgeJ
8NJ9U7yL/lylqMJpp84VdfQri+lW2xLbmQC2p/aGVNLqAXmc45etaHgeM9EvGumm
1OjgCEeIlCTTeFOknt2PqiSD3X1KgkM7S163jPR7PB39KKiBzapsWloh5iNTUXSh
eU9nMNtH/RUlA1Xp/yYTgmJXdQASey1MyLbknInyRKzupduESn9EzqV0hn5K1e0G
rSuPVy34cPfsgmJCdQYwW/E2WtpGzbGTN2+fEdu8vLLrCzyGzTQ9WVWpptZC9g+k
qxL5CipxIYJjTN4WSkPEvcOWosyjLdV9J9X5SqYarixhxykfJTigxCVbs/sXpbbA
7NoqvHnV0LWXg7MBJ+xVJse+2n3ZSC9xoLiV+bZ9k8whoeXaqCNUDrvg8G5DTrE0
hK8XRVDRjdgtyVHp8pIaf57S9zr5qaWm38rc1k3CVhpxVKSIgyLPTe8LGrpLcgma
2Mw/NJEGfjEua+TwksDSClwzs6jqPet7mOnJR3SudykY4EElceOZz6H0KDhmz9NP
zD+a5oFU2GVHluqjW8KuXOiYdnc2/kfoA4kdMmZO9IVm4T5+M7dS4U9yWAErUl8y
we/GLtgkNhtj3+rB08mgbKFMPw9ft1fnojSY8diY+pel3re6GriGsInv53X9NNBe
GC8KfBDBfbQe0j9aje6/27NXvjCN5ORVy/VLUuw/j8kjp2NV6bMPF2D339UaWJnI
StDwIbQrKJByq8fnKnZ8/vtzFKixXpA1V7/rORpkCV3+VrMpbZR89WHrOQxRm30I
tpMVFsRA+jVG+5bdHO1vDYillSv78rkD3jVJLs51s8mkKzKXzaqJpGe+h625PXTX
mUf9WzPUVdeqhdaFMFKB7hBipO0nSVHP4+Zpx4bwopMJH3Sgc+9YmaN1atrKAVbK
8aJshXR/JDnkHkEPS9ls3XHnIIsjXDChqwMzvNGWK2U3whyD/Qc4OHcE8ML0WZNb
TgP6+Bu5F2jumbx4BcLNwWtECtro3zs1Lk/suqQz/aZhuLbj5w45T/x9ZYv2hYBE
XwXYnPlgDbSAEflCJ5XeYHuedm9FmXz5Ui+kBwQyO6sLp52tytcMWvpBVgpfw2O9
39KsJfDWKCZAb+QRU0ADjf8Zi4y+ShftqiSfpYRQRs5iWqmIvyfpTXsKegaVNXLc
aLgJwj3vDT00SsW0GbLGQc/koXOJCgZwTAcNPB0JmGX0xfHPWo9q3F4CmWHSNKXw
ljsFGe/MY02HXbVxOvktY3CHFhCrwRuSWdslWy5RBzjZVi1UKYL6yhJZjHdayqUy
mz3ybjapdnkvS7/mf/WIH/jI79F0Y74EprFTkN1G3st/LVeNKK8udC7B/hEHP3QU
lwTYK8v8EznchkPn1lkyHXDhLyjxqZLdU81d3a396iIC7xqLDaXNU+VE9cPKBx92
tzUaMJbH7Y5WSs4rZ/qiE+R7hBQ9HeT0TeSlJZvSXNnWQl8Cc2rufowsV5bhWsug
T7oecqAwzQ==
=eYJT
-----END PGP MESSAGE-----"
9:05 pm on Oct 22, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15934
votes: 889


That being said, I doubt that WebmasterWorld stores or has ever stored passwords in plain text
Shortly after I started reading this forum, I remember someone posting in great (and understandable) annoyance because they'd got the routine welcome-to-WebmasterWorld letter ... including their newly selected password in plain text. At the time, the post was greeted with general sneering and “so what?” from established members.
9:27 pm on Oct 22, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:355
votes: 71


Shortly after I started reading this forum, I remember someone posting in great (and understandable) annoyance because they'd got the routine welcome-to-WebmasterWorld letter ... including their newly selected password in plain text. At the time, the post was greeted with general sneering and “so what?” from established members.

"He" was right. A site must NEVER send a password in an email.
9:44 pm on Oct 22, 2018 (gmt 0)

Preferred Member

5+ Year Member Top Contributors Of The Month

joined:Dec 11, 2013
posts:389
votes: 117


aB2zgxfhi34!o09xhjy4pC67mq

I personally use [retireyourpassword.org...] (Javascript, not database-based) password generator. To make it strong, I suggest at least two special characters.
10:50 pm on Oct 22, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 29, 2006
posts:1378
votes: 18


I haven't used the site since about 2010, but I find that my account, with the compromised password is still active.

I can't remember the year, but all WebmasterWorld members were instructed to change their password at one point.

Perhaps you didn't get the memo.

...
9:56 am on Oct 23, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Aug 27, 2002
posts: 771
votes: 1


Just have to chime in here as I also received 2 of these mails today.
Both have similar content to the example in the original post.
What wonders me is that this is a pw from a non english language I only use at webmasterworld. And Webmasterworld i only access through 2 computers that are both highly secured (paranoid company and my own malwareprotedted one).
Maybe time to change pw change routines at WebmasterWorld
10:03 am on Oct 23, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:355
votes: 71


Odd.

I am reading that WebmasterWorld had several owners, is it possible that a previous owner was victim of a hacking, or, kept database / information from members which could have been leaked ?
10:09 am on Oct 23, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


He" was right. A site must NEVER send a password in an email
As long as the data is encrypted and the connection is secure, I see no issue.

I would worry more about all these unsecure email clients that people use. They get hacked all the time.
10:12 am on Oct 23, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:355
votes: 71


I would worry more about all these unsecure email clients that people use. They get hacked all the time.

This is why a site must never send a password (or other important information) by email, because you don't know what happens beyond your own server. And one can't argue this is not longer his fault, beyond his own server.

And it's not only a matter of unsecure client. LOT of mail servers are discussing between each others in plain text too.

ps: in EU, from time to time, "they" want to make encryption forbidden, because it can be used to hide terrorist activity, ... so imagine tomorrow, if all encryption is forbidden in EU ... will be fun

[edited by: justpassing at 10:15 am (utc) on Oct 23, 2018]

10:12 am on Oct 23, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 27, 2001
posts:1186
votes: 16


Just to note, I messaged engine a couple of days ago as a heads-up about this (exact same email and using a pw which is only used on WebmasterWorld) and he was appreciative of the news - more so, I must say, than it appears some reactions are in this thread.

So that is at least two fairly experienced WebmasterWorld members who have had their unique site pw in one of those mails (if anyone is interested in counting).
10:19 am on Oct 23, 2018 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:26463
votes: 1076


Of course, I assume you've changed your passwords by now.
10:26 am on Oct 23, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:355
votes: 71


This is in this kind of situation, that you see that sites which are "bothering" users with passwords and requirements, and requesting passwords to be changed at regular intervals, are right.

At my sites, I require people to use password of 12 characters (at least), and include upper and lower caps, digit and special characters (punctuation, and so on). And, every 6 months i "force" them to change their password. Often I have people complaining about this, claiming this is a lot of annoyance for a site which is not "sensitive" (not a bank, or ecom). So I try to be pedagogic and educate them, but I feel no one listen.

(being hacked is my biggest fear, so yes I am paranoiac and certainly excessive, but I can't help it)
This 50 message thread spans 2 pages: 50