Total BS. I've received that and similar emails for years. Only thing is, I have no camera.

They seem to have increased in 2018. It's just phishing.

People like to think their passwords are unique ... but sadly that's not true. This is "unique" (example):

aB2zgxfhi34!o09xhjy4pC67mq

And you should have every login completely different at least that long, if not longer. :)

I change my passwords often. I never save passwords to browsers either. That always seemed like an unwise idea.

Yea keyplyr of course they're complete BS, but in this case we know exactly where they got their data, here. (The current crop thinks they're clever by quoting a password, in this case an actual password. I have a feeling that some people may be taken in. I've had people come to me recently quite concerned about the latest crop. They're sending them on an industrial scale.)

tangor, maybe you didn't read the original post, this was a unique and hard to guess password (I only ever used it once). If you look at password cracking programs you'll see that, given enough determination by the attackers, nothing is safe. Fortunately it costs to crack good ones.

keyplyr agreed saving in a browser is often not a good idea. You've got to weight it up. Only ever do that if it's not too important. I consider using online password safes in a similar way.

OK I get your point. Thanks for coming here and reporting it.

I've heard tales of dark web chat rooms where compromised info is traded/sold daily. The phisher may not even know where the info came from.

It's just phishing.

It would be IF they were not showing a real password ... In the example above, this is not just random emails sent with random common passwords. If the OP had received hundreds of similar mails with different passwords unrelated to those he would have used, then okay, ... but here, he received ONE email, with a "correct" password. The probability that hackers find a correct password, event common word, with just one attempt is near zero. So yes, they, somehow, obtained the pair Email / Password.

Password has to be stored has an irreversible hash, any other method of storing passwords would be extremely amateur. That being said, I doubt that WebmasterWorld stores or has ever stored passwords in plain text, isn't it ?

ps: this site [haveibeenpwned.com...] can tell if your email / password has been part of known breached.

I've had those extortion emails, as said in 2018 there seems to be loads more.

They quoted one of my 'throwaway' passwords, which isn't my WebmasterWorld one, so some random website I signed up for but didn't particularly value has been hacked.

Password has to be stored has an irreversible hash, any other method of storing passwords would be extremely amateur. That being said, I doubt that WebmasterWorld stores or has ever stored passwords in plain text, isn't it ?

Brute forcing leaked databases is a sport for some people. It's especially easier if there isn't a salt on a per-password level. Any password that's less than 8-9 characters and using the likes of SHA-1 is pretty trivial to brute force on a GPU nowadays. These extortion emails don't really indicate whether their data source was plain-passwords, encrypted, or anything.

justpassing I've been nuking the emails for a while. Today I saw somebody who received a genuine password (they use unique passwords so not that big a deal), and decided (for the first time) to check out the next email that I got. Sure enough I collected email and there was one. By chance I found it quickly. It looks like a WebMasterWorld leak.

A quick search suggested that there is no known breach at WeMaWo, so I made this post.

How it was done is best determined in conjunction with those who programmed the password store and all its versions. Hopefully that will be forthcoming.

My sense is that somebody has breached a lot of password stores and is now running an amateurish campaign to cash in on that. The bigger danger is that smarter people have also grabbed the passwords and will do more serious harm. (If they hadn't before, some certainly will be grabbing those password stores now.)

Given the array of tools out there to crack passwords, I'm guessing that many people on these forums could get themselves going with an operation like this in a few days. It's a clear and present danger.

brotherhood of LAN My current suspicion is that they have loads of password dumps, so any individual may get several of these emails. If they have adhered to a password per sign-up they may be different but all correct. If you have several of these emails you might be able to investigate further and help. Ideally participate in their extermination.

An IDEA: Take your safe password and add some identifier to it so that you can quickly identify "genuine leaks". Put another way: If your password on WebMasterWorld were "Vu2:\#6St\bq&2XbI4\J" you could change it to "WeMaWoVu2:\#6St\bq&2XbI4\J". That would help you quickly identify where it might have come from.

SHA-1 is obsolete since 2005,
salt is something also common since the end of the 90's, hashing functions even automatically add a sal (eg. PHP 's password hash function adds a different salt automatically since 2004)

It's just phishing.

It would be IF they were not showing a real password

Not what I meant. Phishing to see who takes the bait by responding, then they have you playing on their terms.

I've been deleting them without consequence. I did send them to FTC but got tired of even doing that.

SHA-1 is obsolete since 2005, salt is something also common since the end of the 90's, hashing functions even automatically add a sal (eg. PHP 's password hash function adds a different salt automatically since 2004)

Well it sure sounds like you're familiar with best practices. Your post sounded like you assumed the plaintext passwords in email situation could only come from databases storing them the same way.

Your post sounded like you assumed the plaintext passwords in email situation could only come from databases storing them the same way.

No, I said:

That being said, I doubt that WebmasterWorld stores or has ever stored passwords in plain text, isn't it ?

There are plenty of other ways to steal information, for example, a compromised mail server, a compromised network equipment (this is why everybody should use HTTPS), a compromised computer (client side), etc... This can also be when someone changes his server, and doesn't wipe the hard disk or SSD enough times, the next users can recover the data (when I take a server, I a recovery utility, just by curiosity, and you'll be surprised to see how much data you can get from the previous user(s)), even if the database is encrypted and password hashed, their can still be copies of mails sent (this is why a good practice is to never send a password by email to a user, even during the registration email).

If it was a breach at the level of WW I think that all users (or those registered before a given date) would have received this email, with their WW password in.(but if this is brute force de-hashing then it sure can take years ... )

this was a unique and hard to guess password

How "unique" was it? Can you exemplify? And can you be 100% sure it was only used for your account here?

Absolutely guaranteed unique and not "a normal word". Not used elsewhere.

You should be able to share it, I assume you've already changed it and it wouldn't make any other accounts you have elsewhere more guessable

Might be a good idea for everyone to update their password.

Crime pays: half a Bitcoin has already been sent to the wallet address listed in that particular e-mail (copies of which can be found elsewhere).

Was it the password you used when you signed up in 2003?

Those were (mostly) pre-HTTPS days. It could be that your e-mail and password were harvested by means other than a breach here.

I'd advise people to be pretty careful about describing anything about their security practices, in public. (As a few are trying to do here.)

1. This information is public.
2. The forces against you are becoming more organised. Like they seem to be persistent. Like they are moving toward having individualised databases (much like the US political parties have databases on just about every US voter, their voting record etc., advertisers have done the same worldwide, also the criminals).
3. Individual encrypted communications would be a lot better, but so few are interested in doing this really simple thing.

In an unborked world some of this conversation, if it were, for some reason, forced into the open would look more like this:

"-----BEGIN PGP MESSAGE-----
Version: GnuPG v2

hQEMA8QeWcfrOZ/XAQf+LdgD7tZQMzJq8eLVzD3SBxKogL0loDyvbIdxQ+Se11eg
k96h44bKnmFBk6z0sRZXXmhYlzDBT3gXsy3Kja8w8Dysun5nocmYQFcGtrBNzWmq
EnvdOv54UVKCvKf7OOOjELoscH3H2tIVqSPEcX0dPkxZ4XPnMKp/U5eaqr+ETv4/
GvY3bMAlHvKqfWd5BDhiMnIfg+8O6CtaKliI1QYvCtvu9DHl9XUU59NIxa+NKMsY
nLe0fwzhfmdK8Yjr8Q4Ayl51gS2olEGgRFxpZRNjrvtv6M6nSZHK46SZ5o3QfgeJ
8NJ9U7yL/lylqMJpp84VdfQri+lW2xLbmQC2p/aGVNLqAXmc45etaHgeM9EvGumm
1OjgCEeIlCTTeFOknt2PqiSD3X1KgkM7S163jPR7PB39KKiBzapsWloh5iNTUXSh
eU9nMNtH/RUlA1Xp/yYTgmJXdQASey1MyLbknInyRKzupduESn9EzqV0hn5K1e0G
rSuPVy34cPfsgmJCdQYwW/E2WtpGzbGTN2+fEdu8vLLrCzyGzTQ9WVWpptZC9g+k
qxL5CipxIYJjTN4WSkPEvcOWosyjLdV9J9X5SqYarixhxykfJTigxCVbs/sXpbbA
7NoqvHnV0LWXg7MBJ+xVJse+2n3ZSC9xoLiV+bZ9k8whoeXaqCNUDrvg8G5DTrE0
hK8XRVDRjdgtyVHp8pIaf57S9zr5qaWm38rc1k3CVhpxVKSIgyLPTe8LGrpLcgma
2Mw/NJEGfjEua+TwksDSClwzs6jqPet7mOnJR3SudykY4EElceOZz6H0KDhmz9NP
zD+a5oFU2GVHluqjW8KuXOiYdnc2/kfoA4kdMmZO9IVm4T5+M7dS4U9yWAErUl8y
we/GLtgkNhtj3+rB08mgbKFMPw9ft1fnojSY8diY+pel3re6GriGsInv53X9NNBe
GC8KfBDBfbQe0j9aje6/27NXvjCN5ORVy/VLUuw/j8kjp2NV6bMPF2D339UaWJnI
StDwIbQrKJByq8fnKnZ8/vtzFKixXpA1V7/rORpkCV3+VrMpbZR89WHrOQxRm30I
tpMVFsRA+jVG+5bdHO1vDYillSv78rkD3jVJLs51s8mkKzKXzaqJpGe+h625PXTX
mUf9WzPUVdeqhdaFMFKB7hBipO0nSVHP4+Zpx4bwopMJH3Sgc+9YmaN1atrKAVbK
8aJshXR/JDnkHkEPS9ls3XHnIIsjXDChqwMzvNGWK2U3whyD/Qc4OHcE8ML0WZNb
TgP6+Bu5F2jumbx4BcLNwWtECtro3zs1Lk/suqQz/aZhuLbj5w45T/x9ZYv2hYBE
XwXYnPlgDbSAEflCJ5XeYHuedm9FmXz5Ui+kBwQyO6sLp52tytcMWvpBVgpfw2O9
39KsJfDWKCZAb+QRU0ADjf8Zi4y+ShftqiSfpYRQRs5iWqmIvyfpTXsKegaVNXLc
aLgJwj3vDT00SsW0GbLGQc/koXOJCgZwTAcNPB0JmGX0xfHPWo9q3F4CmWHSNKXw
ljsFGe/MY02HXbVxOvktY3CHFhCrwRuSWdslWy5RBzjZVi1UKYL6yhJZjHdayqUy
mz3ybjapdnkvS7/mf/WIH/jI79F0Y74EprFTkN1G3st/LVeNKK8udC7B/hEHP3QU
lwTYK8v8EznchkPn1lkyHXDhLyjxqZLdU81d3a396iIC7xqLDaXNU+VE9cPKBx92
tzUaMJbH7Y5WSs4rZ/qiE+R7hBQ9HeT0TeSlJZvSXNnWQl8Cc2rufowsV5bhWsug
T7oecqAwzQ==
=eYJT
-----END PGP MESSAGE-----"

That being said, I doubt that WebmasterWorld stores or has ever stored passwords in plain text

Shortly after I started reading this forum, I remember someone posting in great (and understandable) annoyance because they'd got the routine welcome-to-WebmasterWorld letter ... including their newly selected password in plain text. At the time, the post was greeted with general sneering and “so what?” from established members.

Shortly after I started reading this forum, I remember someone posting in great (and understandable) annoyance because they'd got the routine welcome-to-WebmasterWorld letter ... including their newly selected password in plain text. At the time, the post was greeted with general sneering and “so what?” from established members.

"He" was right. A site must NEVER send a password in an email.

aB2zgxfhi34!o09xhjy4pC67mq

I personally use [retireyourpassword.org...] (Javascript, not database-based) password generator. To make it strong, I suggest at least two special characters.

I haven't used the site since about 2010, but I find that my account, with the compromised password is still active.

I can't remember the year, but all WebmasterWorld members were instructed to change their password at one point.

Perhaps you didn't get the memo.

...

Just have to chime in here as I also received 2 of these mails today.
Both have similar content to the example in the original post.
What wonders me is that this is a pw from a non english language I only use at webmasterworld. And Webmasterworld i only access through 2 computers that are both highly secured (paranoid company and my own malwareprotedted one).
Maybe time to change pw change routines at WebmasterWorld

Odd.

I am reading that WebmasterWorld had several owners, is it possible that a previous owner was victim of a hacking, or, kept database / information from members which could have been leaked ?

He" was right. A site must NEVER send a password in an email

As long as the data is encrypted and the connection is secure, I see no issue.

I would worry more about all these unsecure email clients that people use. They get hacked all the time.

I would worry more about all these unsecure email clients that people use. They get hacked all the time.

This is why a site must never send a password (or other important information) by email, because you don't know what happens beyond your own server. And one can't argue this is not longer his fault, beyond his own server.

And it's not only a matter of unsecure client. LOT of mail servers are discussing between each others in plain text too.

ps: in EU, from time to time, "they" want to make encryption forbidden, because it can be used to hide terrorist activity, ... so imagine tomorrow, if all encryption is forbidden in EU ... will be fun

[edited by: justpassing at 10:15 am (utc) on Oct 23, 2018]

Just to note, I messaged engine a couple of days ago as a heads-up about this (exact same email and using a pw which is only used on WebmasterWorld) and he was appreciative of the news - more so, I must say, than it appears some reactions are in this thread.

So that is at least two fairly experienced WebmasterWorld members who have had their unique site pw in one of those mails (if anyone is interested in counting).

Of course, I assume you've changed your passwords by now.

This is in this kind of situation, that you see that sites which are "bothering" users with passwords and requirements, and requesting passwords to be changed at regular intervals, are right.

At my sites, I require people to use password of 12 characters (at least), and include upper and lower caps, digit and special characters (punctuation, and so on). And, every 6 months i "force" them to change their password. Often I have people complaining about this, claiming this is a lot of annoyance for a site which is not "sensitive" (not a bank, or ecom). So I try to be pedagogic and educate them, but I feel no one listen.

(being hacked is my biggest fear, so yes I am paranoiac and certainly excessive, but I can't help it)