Russian hackers steal 1.2 billion usernames, passwords: are you affected?


#1

[Permalink]


#2

Cial1s V1agra R0lex cheep no waitng!!!


#3

Would it even matter if we all just changed our passwords?


#4

Hide in plain sight. We all change to the same password and next time they get a big list of 1.2 billion passwords it will look like the password harvesting robot is broken.


#5

Whist I usually decry the whiners saying BB is being clickbaity, I cannot think of any reason for adding “: are you affected?” to the post title other than being clickbaity, since the damn post doesn’t actually tell anyone anything about whether they are affected.


#6

heh, response to this sort of breach is part of my day job.

change your email password, that is usually ‘center of the snowflake’. and even if it is one char different given that they may need to test so many unless you are already on someones poop-list that will keep your crown jewel safe. then go and do what i know all of us do (in addition to brushing our teeth and adhering to the 30 second principle): keep changing your passwords on a regular basis.

pastebin should be full of trolls for the next few weeks (and yes, i said that firmly tongue in cheek :D).


#7

Let’s go with correcthorsebatterystaple just to make it simple.

Also, I love that I can use bugmenot@bugmenot.com/bugmenot as ID/password on dozens of sites. Thank you, bugmenot, for existing.


#8

did you know correcthorsebatterystaple, as a literal password, achieved a more than 1% share not too long ago? so yes, randall’s methodology is perfect, just don’t use the sample code :smiley:

(also windows 8/8/1 machines that are hooked to a microsoft account limit you to 16 characters, which almost made me accidentally spill my coffee on my laptop on purpose).


#9

So they … have all of the usernames and passwords?


#10

Heh, I just checked my keepass database. I am up to 160 usernames and passwords.

Username/ pass is fundamentally broken. I can kinda deal with it, with 20+ years of 50-60 hours a week dealing with security problems. The rest if the population is screeewed.

In the meantime set up recovery phones for email and banks. If you must a master list of passwords in a small safe isn’t a terrible idea. And anything truly important–baby pictures, mementos of loved ones, trip videos should be backed up in several locations.

We can all make more money, but damnit I need my old old-cat photos :frowning:


#11

Dear Xeni,

.LOL, you’ll find out soon enough.

Happy Birthday, asshole.


#12

and just don’t use the same password from one site anywhere else.

A crappy system to differentiate your passwords is better than one impossible-to-remember password that you use in multiple places.


#13

Yeah, even though adding a 1,2,3 isn’t a good practice, the fact is any average person can scrape 100k usernames and passwords off of paste bin a month. So trivial changes aren’t ideal, they stop the mass account take over for at least a few days.


#14

“Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable.”

So it’s important, but not really that important?


#15

Wait a minute. Some internet security company announces that half a trillion passwords are compromised, and the solution is to buy their services - and we just take them at their word and commence to panic?

I wonder if they found out my password is “gullible”?


#16

People keep saying this, and I guess I’m not sure what it is that you do with the internet. My LastPass account currently has passwords for 240 different sites in it. A lot of them are probably forums and shit that I used once for some very specific thing and then forgot about, but I could easily scrape together 20 or 30 just from email, social, banking, utilities, shopping, and forums/comment sections that I use regularly. “Change them all on a regular basis” is not really practical.

For now, I’m gonna stick with my current strategy, which is to use LastPass to generate 20 characters of unique line noise for every site I use. If somebody jacks my password for, I dunno, the Steven Brust Fan Forum or something, then have fun trying to sell Viagra to a dozen jaded fantasy readers, 'cause that’s all you’ll be able to do.


#17

No no no, you don’t understand. BoingBoing writers are bloggers, not journalists. That means anything they write is absolutely beyond reproach for any reason and you should feel bad for suggesting otherwise.


#18

The ad copy there is relentlessly sketchy, but if you follow it through they seem to be just asking for your name and email address so they can check it against the big list. I think, anyway. I haven’t gotten the response email that they promised–I’m guessing they’re pretty snowed right now. In any case, they’re not asking you to set up an account or hand over your credit card right off the bat.


#19

Somebody jacked my account for a forum once. I let them keep it. They made more sense than I did.


#20

Was it BoingBoing? ::mind blown::