• The site has now migrated to Xenforo 2. If you see any issues with the forum operation, please post them in the feedback thread.
  • Due to issues with external spam filters, QQ is currently unable to send any mail to Microsoft E-mail addresses. This includes any account at live.com, hotmail.com or msn.com. Signing up to the forum with one of these addresses will result in your verification E-mail never arriving. For best results, please use a different E-mail provider for your QQ address.
  • For prospective new members, a word of warning: don't use common names like Dennis, Simon, or Kenny if you decide to create an account. Spammers have used them all before you and gotten those names flagged in the anti-spam databases. Your account registration will be rejected because of it.
  • Since it has happened MULTIPLE times now, I want to be very clear about this. You do not get to abandon an account and create a new one. You do not get to pass an account to someone else and create a new one. If you do so anyway, you will be banned for creating sockpuppets.
  • Due to the actions of particularly persistent spammers and trolls, we will be banning disposable email addresses from today onward.
  • The rules regarding NSFW links have been updated. See here for details.

User Account Hack Attempt

wasprider

Experienced.
Joined
Jan 30, 2015
Messages
2,856
Likes received
13,872
Not an April Fool's joke.

Someone attempted to log in using my credentials.

Luckily I had 2FA on, and I've changed my password in response. I generally use password managers and password generators, so the password is not likely to have been guessed.

That seems like the password storage is not secure, or someone put in a fair amount of effort to hack in.

Has this happened to anyone else recently?
 
My old password was crap, so that's one reason it was easy to guess. And I was in a PM with Train Dodger, which probably didn't help if people were trying to work out from his account.
 
Was that password also used at any other online services?

XF stores passwords properly hashed, so it's somewhat unlikely that someone server-side could get access to them in usable form. I'm still investigating that possibility, however.
 
My old password was crap, so that's one reason it was easy to guess. And I was in a PM with Train Dodger, which probably didn't help if people were trying to work out from his account.
....from my unqualified opinion it sounds like you just got clipped by people hunting down that retard, rather than specifically getting targeted.

Good riddance to that dumbass. He's nothing but trouble.
 
Was that password also used at any other online services?

XF stores passwords properly hashed, so it's somewhat unlikely that someone server-side could get access to them in usable form. I'm still investigating that possibility, however.

No, or not anything in active use.

That's what password managers are for, this was not changed in the migration. I've got some crappy passwords, and I'll be changing all of them.

Apologies for the scramble.
 
No, or not anything in active use.

That's what password managers are for, this was not changed in the migration. I've got some crappy passwords, and I'll be changing all of them.

Apologies for the scramble.
I'm curious. After you've changed them can you say how crappy they were?
 
I'm curious. After you've changed them can you say how crappy they were?

I'd rather not. It'd be embarrassing. The weak passwords were for sites that didn't contain private information or credit card information.

Unfortunately, I have written spicy stuff here, which could reflect on me IRL if they managed to associate it to me.
 
Yep. Did that. But the way it says it is annoying.

Looks like they're looking for breaches since the first time the email address was seen. Not sure how often to change it.

Pasties are definite red flags, but I haven't been seeing strange activity on my accounts. Well, a lot more password resets it is.
 
Could be that someone elsewhere has the name of wasprider and you got splash damage from people trying to use a compromised universal password of the other wasprider.
 
Could be that someone elsewhere has the name of wasprider and you got splash damage from people trying to use a compromised universal password of the other wasprider.
Seems pretty unlikely that two people with the same username would also have the same password.

Is it possible to tell if someone's logged in to your account (with your password)?
 
Seems pretty unlikely that two people with the same username would also have the same password.

Is it possible to tell if someone's logged in to your account (with your password)?

It's not uncommon for a person to use the same name across multiple sites, which is what I was suggesting. And the 2fa stopped whoever it was from getting into wasprider's account.
 
It's not uncommon for a person to use the same name across multiple sites, which is what I was suggesting. And the 2fa stopped whoever it was from getting into wasprider's account.
But 2fa typically activates only after someone gave correct password (is it happening this way also on QQ?). Still, it was mentioned as low quality one, so sharing it is not out of question.
 

Users who are viewing this thread

Back
Top