I just got hacked.

[Chako]

This has been a bit of an interesting time for me. A few days ago, I went to play some Titan Quest Anniversary Edition on STEAM and got a password prompt. I typed my password and couldn't get in. Hmmm... When I tried to send a password code to my email, it was bounced to someone else's email. I figured I got hacked. After trying to figure out how to regain my account...and STEAM doesn't make this process all that easy, I eventually figured it out and got to the right section. I am very happy I didn't throw away my last STEAM card, as they wanted proof that the account was mine. I had to take a photo of the card and send it to them. Well, after a few days, I finally got several emails from STEAM..several of which were about Counter-strike Global Offensive items sold for Russian rubles, and one good one from STEAM telling me of the new password to get in. After typing another verification code send to my proper email, I was back into my account. The only problem I am now having is that my STEAM profile is now in Russian, which I cannot read.  I just sent STEAM another email explaining my Russian problem. I hope they can fix this, as I cannot even begin to change the profile back to mine as everything is literally in Russian.

This all forced me to change my email password, as I am suspicious that my email was compromised seeing that a few months ago, I was booted off of Blizzard.Net for a similar situation. Regardless, my AVG tells me I am 100% protected, and this is the paid version. 

[Chako]

Just figured out how to toss the Russian, and the Russian hacker's profile. So long $SKELETQ$ 

 

[WoodsDuck]

Seems more likely to be a database breach than someone actually hacking your computer. I've had a number of email passwords, and even debit card information compromised from the other end. Hell, someone stole the identities of half the people in the corporation I work for (which has over 40,000 employees) last year and filed for tax returns in their name. AVG wouldn't be aware of anything like that happening, if they never touched your device.

[ThundahBeagle]

Hi Chako,

From my experience, a lot of folks don't realize that if somebody logs in AS YOU, and works on your computer, or uses your account, then AVG, Sophos, Norton, Kaspersky - well, none of them will know it isn't you.

What you most likely were, was "phished." It's an old term with its roots back in the plain old telephone service days and is a form of social engineering.

Check your emails from the days before you were booted off of Blizzard and see if you didn't receive an email that may have included a link to another web page asking you to confirm your email account details (or Blizzard or Steam). It could have appeared to be Microsoft, or Google, work-related, or even Blizzard related. Looking at it now, you will likely realize some inconsistencies or glaring mistakes in this email.

One such email went around where I work, and it was addressed to "all faulty and staff" instead of faculty and staff. Indeed, those who fell for it were in a sense faulty. In this phishing scam email, they said something to the effect that a new email server had been installed and please click the link and put your user name and password in order to confirm, otherwise your email will stop working, or some silly smurf. They then signed it something like " the helpdesk" or something. So people fell for it.

What happens next is the phisher used Outlook Web Access to log in as the person, and began sending out emails like mad. They also set any incoming email to forward to someplace else, like the sent items or deleted items folder. This is so that when they send out a million emails, and a large number bounce back to you as undeliverable, you will not see that and have cause for alarm. Indeed it is possible that for a spell, you may have checked your inbox and found absolutely nothing. Obviously in your case, they wanted to access Blizzard and Steam.

And for all intents and purposes, there is nothing for antivirus to detect. As far as antivirus knows, everything is fine. The computer itself has not been penetrated, after all. Just some of your accounts in the cloud somewhere, which you unwittingly gave them the keys to.

[ThundahBeagle]

The emails may have even came from another email account of someone you know or recognize. If so, then that person has hacked before you and they bad guy is going through your contacts and recent emails, snapping off similar phishing emails to them. The "bad guy's" ultimate aim here is usually to eventually obtain the user name and password of a network account administrator or even someone in finance - for obvious reasons. Sometimes, though, it's just bragging rights or a practice run.

Change your email password, your bank password if you online bank, your Blizzard password, and that of Steam, and ... And any passwords to any web camera systems you have set up. Make sure they are all different than each other. That will minimize the effects because everything is compartmentalized.

I hope that helps

[ThundahBeagle]

Seems more likely to be a database breach than someone actually hacking your computer. I've had a number of email passwords, and even debit card information compromised from the other end. Hell, someone stole the identities of half the people in the corporation I work for (which has over 40,000 employees) last year and filed for tax returns in their name. AVG wouldn't be aware of anything like that happening, if they never touched your device.

This may be the case, IF only Steam, or only Blizzard were penetrated (unless of course, they are owned by the same company, in which case they could both be penetrated). And yes, the email accounts database can be penetrated at the other end as well. Yahoo took a huge hit like that a few years ago, but it usually wouldn't affect your other types of accounts unless you also fell for something

[Chako]

Thanks for the info. I am certain I never opened an email as I rarely do on my home computer. Possibly it was hacked on Steams end. I have no clue to be honest. The Russian dude didn't do anything to my account other than play CO:GO with online folks. I prefer to play with bots alone. He did sell maybe 4 CO:GO cards but I really do not care as I ignore those I get anyhow. They mean nothing to me. I am just glad to get my games back.

Yes, I have changed my passwords all around. Did several deep scans with the antivirus software, and fixed a few other things. I still cannot update Windows 10 without getting error codes. I think eventually, I will have to re-install the OS, but don't wish to do that anytime soon. If I get hacked again, a clean install will be the first thing I do.

[sLaughterMed]

Secure passwords (ideally different for every website you use) is key.

[Don Pablo]

Secure passwords (ideally different for every website you use) is key.

And in addition to being easier to remember (if you use a mnemonic or something) strings of random words are more secure than strings of numbers and characters.

Example, I told a random word generator to give me 5 words, here they are:
superiorpurefitgovernorrecovery.

That means 20,000*20,000*20,000*20,000*20,000 = 3,200,000,000,000,000,000,000 possible combinations assuming that the random word generator picks from a list the size of the average persons vocabulary. If it uses the OED to pick words from, then even more possible combinations.

Compare with using 5 numbers:
10*10*10*10*10=100,000, which is relatively tiny. 

Throw in a word or two from a different to make it harder to brute force. 

[Don Pablo]

Secure passwords (ideally different for every website you use) is key.

And in addition to being easier to remember (if you use a mnemonic or something) strings of random words are more secure than strings of numbers and characters.

Example, I told a random word generator to give me 5 words, here they are:
superiorpurefitgovernorrecovery.

That means 20,000*20,000*20,000*20,000*20,000 = 3,200,000,000,000,000,000,000 possible combinations assuming that the random word generator picks from a list the size of the average persons vocabulary. If it uses the OED to pick words from, then even more possible combinations.

Compare with using 5 numbers:
10*10*10*10*10=100,000, which is relatively tiny. 

Throw in a word or two from a different to make it harder to brute force. 

By the way, I just found this random word generator. One word at a time only, but it says that it uses a 90,000 strong dictionary, so that’s plenty of words to pick from.  I think that I’ll use it from now.
http://www.wordgenerator.net/random-word-generator.php

[Grant Lamontagne]

Megan logged into her Netflix account one day and there was a new profile added for some person named James who was supposedly in Switzerland.

Needless to say she changed all of her passwords after that.

I also got a message from AMEX one day telling me they had denied a $1300 stay at an AirBnB in China.  Considering I was in Halifax at the time with a broken ankle I was glad to hear that AMEX declined the payment as I didn't feel like flying to the other side of the planet.   

It was my credit card but Megan's AirBnB account, so I called her and she started changing her passwords again.

Might be worth a read:
https://forum.multitool.org/index.php/topic,65173.0.html

Def

[Whoey]

From what I have seen and read using words alone is a guaranteed risk. Using different case letters, numbers and extra characters whenever possible is better but something like two factor authentication is a more secure method.

On a security webinar I saw recently the host suggested using a phrase, extracting the first two letters of each word, capitalizing the first letter and then adding extra characters/numbers, for example:

Common sense is not very common > CoSeIsNoVeCo

Plus some random life even year like when you got your first pet, but not your birthday, graduation, wedding anniversary etc. Something that is less likely to be out there.
His final password would be something like:

@CoSeIsNoVeCo#1985

(I am not using this anywhere, it's only an example, and 1985 is completely randomly picked.)

Using a secure password generator is likely better, but more difficult or impossible to recall in a pinch.

[Don Pablo]

From what I have seen and read using words alone is a guaranteed risk. Using different case letters, numbers and extra characters whenever possible is better but something like two factor authentication is a more secure method.

On a security webinar I saw recently the host suggested using a phrase, extracting the first two letters of each word, capitalizing the first letter and then adding extra characters/numbers, for example:

Common sense is not very common > CoSeIsNoVeCo

Plus some random life even year like when you got your first pet, but not your birthday, graduation, wedding anniversary etc. Something that is less likely to be out there.
His final password would be something like:

@CoSeIsNoVeCo#1985

(I am not using this anywhere, it's only an example, and 1985 is completely randomly picked.)

Using a secure password generator is likely better, but more difficult or impossible to recall in a pinch.

There are 10 numbers, but millions of words. 
So why are words insecure, as long as you pick them truely randomly from a large enough list?

[LoopCutter]

There are 10 numbers, but millions of words. 
So why are words insecure, as long as you pick them truely randomly from a large enough list?

Ever seen “Wheel of Fortune”
People can pick random letters then guess the words, often associated to phrases, but if the human brain can begin to recognize a word, how quickly would computer began assembling the word and then the string?

Creating it long enough is best, because hackers are not going to waste time breaking a 15 character password when there are many 8 character ones than can be beat. 

Then again many sites limit the total number of characters. Those requiring special characters are stronger yet, “!” And “$” are usually substituted for “1” and “s” most frequently.


Sent from my iPhone using Tapatalk

[Don Pablo]

There are 10 numbers, but millions of words. 
So why are words insecure, as long as you pick them truely randomly from a large enough list?

Ever seen “Wheel of Fortune”
People can pick random letters then guess the words, often associated to phrases, but if the human brain can begin to recognize a word, how quickly would computer began assembling the word and then the string?

Creating it long enough is best, because hackers are not going to waste time breaking a 15 character password when there are many 8 character ones than can be beat. 

Then again many sites limit the total number of characters. Those requiring special characters are stronger yet, “!” And “$” are usually substituted for “1” and “s” most frequently.


Sent from my iPhone using Tapatalk

That’s why you mix together words randomly..... no phrases to guess there.

https://xkcd.com/936/
I know that I’m on shakey ground when I reference a webcomic... 

[Ron Who]

There are 10 numbers, but millions of words. 
So why are words insecure, as long as you pick them truely randomly from a large enough list?

There are 10 digits and 26 letters. With these you can create an infinite number of strings, but most of the time we humans do not create random strings. Words aren´t random strings of letters, and numbers aren´t random strings of digits (usually).

So a password that we know a part of may be completed with little effort in many cases. When the number of unknowns is small enough, a computer WILL find them (and trying a few million possible words won´t take long enough to stop anyone from finding your password either, that´s why any system shouldn´t allow you more than three tries).

A good password should be something incomprehensible, neither a number nor a word. And you should not write it down. The problem of course is that following this good advice most likely will make your computer inaccessible to yourself as well as everyone else.

https://xkcd.com/936/
I know that I’m on shakey ground when I reference a webcomic... 

Yes, catenating four short words seems a good strategy, better than using a single much longer word. But the strategy fails when it´s widely used, and thus becomes known to hackers. Many passwords are easy to find if you know what search strategy to use. The difficulty rates in the example are based on the letter content, not the word content. If you know that you´re looking for four one-syllable English words it could be done within a relatively short time.


And then this:

How many words are there in the world?

Answered Oct 19, 2012
Not an exact answer, but I analysed the dictionaries for spelling checking for 123 different languages. In total they contain 20,182,852 words. Since a lot of languages have the same words, the contain 15,422,745 unique words, over all those languages.

That´s about 15 million words, to be shared among 8 billion people. Each word-password would have over 500 users.