I saw the news recently that "compromised accounts" had been banned.
What is a compromised account?
How do I avoid/prevent my account being compromised?
Will I be notified if my account is compromised?
Is the site still safe?
Posted under General
I saw the news recently that "compromised accounts" had been banned.
What is a compromised account?
How do I avoid/prevent my account being compromised?
Will I be notified if my account is compromised?
Is the site still safe?
Compromised means a malicious actor somehow got the password and accessed the account. The Mods spent several hours cleaning up various types of spam from a bunch of hacked accounts and banning them. (Over 25,000 Mod Actions were taken! Thanks, Mods!) You could always change your password if you're concerned.
crocogator said:
Compromised means a malicious actor somehow got the password and accessed the account. The Mods spent several hours cleaning up various types of spam from a bunch of hacked accounts and banning them. (Over 25,000 Mod Actions were taken! Thanks, Mods!) You could always change your password if you're concerned.
Was e621 hacked?
disposableyeens said:
Was e621 hacked?
It's more likely the passwords were leaked from some password manager site. If e6 itself was hacked, I'd suspect the site would go down for a bit and everyone would be forced to reset their passwords.
disposableyeens said:
Was e621 hacked?
No, many other sites were. The problem is when people reuse passwords from those sites here. You can avoid such trouble by using a reputable password manager.
disposableyeens said:
Was e621 hacked?
A series of threads were made that had a four digit number at the end. I didn't see the entirety of it, but I'm assuming they were planned to be posted in the thousands. And from that, that a massive amount of accounts had to have either been stockpiled over time, or accessed all at once. I'm seeing it more likely that at least a momentary breach happened, since stolen accounts would've been recovered as the creators reached out to staff.
I'm going to say change your password. Maybe even your email address, if you don't want it associated with this account.
letforeverfinallydie said:
A series of threads were made that had a four digit number at the end. I didn't see the entirety of it, but I'm assuming they were planned to be posted in the thousands. And from that, that a massive amount of accounts had to have either been stockpiled over time, or accessed all at once. I'm seeing it more likely that at least a momentary breach happened, since stolen accounts would've been recovered as the creators reached out to staff.
I'm going to say change your password. Maybe even your email address, if you don't want it associated with this account.
I have an email specifically for my furry stuff, is that good enough?
When I looked at the forums 3 hours after the raid (and around the time when mods started cleaning up the forum,) there were 14 and a half pages of spam threads. Though it seemed like some accounts started to get reused for threads after awhile.
anicebee said:
When I looked at the forums 3 hours after the raid (and around the time when mods started cleaning up the forum,) there were 14 and a half pages of spam threads. Though it seemed like some accounts started to get reused for threads after awhile.
It was at least 100 pages of spam forum threads, plus some blips and sets created by the hacked accounts.
disposableyeens said:
I have an email specifically for my furry stuff, is that good enough?
It's good practice to separate your interests with different emails. Like gattonero said above, make sure you use strong passwords and don't reuse passwords across sites. A good modern password manager can generate long, high-entropy passwords and autofill them in fields if you want. Chrome and Firefox both have built-in password generators nowadays so you don't necessarily need a third-party solution, either.
crocogator said:
It was at least 100 pages of spam forum threads, plus some blips and sets created by the hacked accounts.
everything after topic #47625 but before topic #53932 were spam threads (that's more than 6300 threads), most of the blips between blip #128786 and blip #132636 (~3840 blips) and a boatload of sets created. also several of the compromised account's profiles were modified to expose email addresses.
dba_afish said:
everything after topic #47625 but before topic #53932 were spam threads (that's more than 6300 threads), most of the blips between blip #128786 and blip #132636 (~3840 blips) and a boatload of sets created. also several of the compromised account's profiles were modified to expose email addresses.
jeez
this is extremally concerning, i believe we never had an mass branching of passwords as bad at this one, literaly thousands of accounts got compromised
not mountains of people will need to rebuild their account from zero, but during the process of people getting new accounts, countless trolls can take advantage of the chaos
does anyone have any idea of who can be the culprits?
eranormus said:
this is extremally concerning, i believe we never had an mass branching of passwords as bad at this one, literaly thousands of accounts got compromisednot mountains of people will need to rebuild their account from zero, but during the process of people getting new accounts, countless trolls can take advantage of the chaos
does anyone have any idea of who can be the culprits?
It was probably just the same breach as FA's Gregging, don't use online password managers, don't use the same password for everything, and certainly don't use your email password for anything else, and 99% of issues go away.
eranormus said:
this is extremally concerning, i believe we never had an mass branching of passwords as bad at this one, literaly thousands of accounts got compromisednot mountains of people will need to rebuild their account from zero, but during the process of people getting new accounts, countless trolls can take advantage of the chaos
does anyone have any idea of who can be the culprits?
Most of the accounts were abandoned accounts with little/no activity or even avatars. Old and inactive accounts are easier to compromise since they're more likely to not have changed passwords in a long time as well as have a good chance to be throwaway accounts with garbage passwords.
votp said:
It was probably just the same breach as FA's Gregging, don't use online password managers, don't use the same password for everything, and certainly don't use your email password for anything else, and 99% of issues go away.
FA's Gregging?
disposableyeens said:
FA's Gregging?
FA recently had a bunch of compromised accounts start spamming Gregg, most were of the same "category" of old/unused accounts as happened here.
dba_afish said:
everything after topic #47625 but before topic #53932 were spam threads (that's more than 6300 threads)
RIP topic #50000
I have recently got unbanned from my account being compromised apparently.
My email isn't pwned, I use offline opensource password manager program, my other accounts are untouched, the only way I was hacked is by my weak generated password.
Always use strong long passwords with uppercase and lowercase, numbers, special characters and extended ASCII !
moojuicers said:
I have recently got unbanned from my account being compromised apparently.
My email isn't pwned, I use offline opensource password manager program, my other accounts are untouched, the only way I was hacked is by my weak generated password.Always use strong long passwords with uppercase and lowercase, numbers, special characters and extended ASCII !
That advice aged like roast beef, haha!
Length is King, all that matters is ease of guessing, restrictions/requirements on characters can sometimes make it easier to crack, that's all.
Which itself is dated advice. Now they're recommending cryptographic solutions like authenticators (2FA, not stupid SMS or email stuff). TBF, all my servers use key pairs to login to shells, because passwords on SSH is crazy talk. That however is not any kind of 2FA unless using a passphrase, and doesn't really meet the requirements that are the entire point even if it is (passphrase can get compromised with keyloggers).
moojuicers said:
Always use strong long passwords with uppercase and lowercase, numbers, special characters and extended ASCII !
Most password fields won't even accept Extended ASCII... let alone having the input not being compatible with mobile devices.
alphamule said:
That advice aged like roast beef, haha!
Length is King, all that matters is ease of guessing, restrictions/requirements on characters can sometimes make it easier to crack, that's all.Which itself is dated advice. Now they're recommending cryptographic solutions like authenticators (2FA, not stupid SMS or email stuff). TBF, all my servers use key pairs to login to shells, because passwords on SSH is crazy talk. That however is not any kind of 2FA unless using a passphrase, and doesn't really meet the requirements that are the entire point even if it is (passphrase can get compromised with keyloggers).
2FA scares me because of my personal experiences. If your device is damaged in some way, which is often not something that's predictable, you're screwed. I know because it's happened to me before. Lost my Discord account that way.
lendrimujina said:
2FA scares me because of my personal experiences. If your device is damaged in some way, which is often not something that's predictable, you're screwed. I know because it's happened to me before. Lost my Discord account that way.
A great reason why you don't use something that's only on one device
If you want something online use authy, else find some app that allows you to export and keep backups off that phone
We're still looking into how exactly those accounts were compromised, but it doesn't seem like they actually got into our systems in any way.
However a few people that have requested access to their lost accounts back have given me their passwords (unprompted I might add, don't fucking send your password over email or I will find you) and they've all been shit like their date of birth (literally just 8 digits), a name and a number, and similar.
For the love of Sithis please do follow the usual password recommendations and don't just use a password that your grandma can guess in 3 tries over tea.
donovan_dmc said:
A great reason why you don't use something that's only on one device
If you want something online use authy, else find some app that allows you to export and keep backups off that phone
Authy is a bad idea, as it's proprietary and they recently stopped supporting a desktop client.
I'd recommend Ente Auth, as it's fully open source and has clients for just about everything, a few more features than authy, and it allows you to pull all your things and migrate them elsewhere if you so chose.
Here's a password generation solution; Faceroll.
No, that's not a programme, pop a notepad open and roll your face across the keyboard like you're trying to summon Yog-Sothoth, then physically write down on a post-it note or in a book that generated password before using it.
Hopping in to recommend my two favorite password managers:
KeePassXC and KeePassDX
the former for all desktops, the later for android.
Both are open source, integrate with browsers / autofill and support TOTP (2FA).
They also both use the KDBX format, a database that contains all your passwords and is protected by your master password (make this one long!)
and can easily be used together as long as you have a cloud solution (e.g. dropbox or google drive) to store your database file in.
Is KeePassXC reliable? I can't afford Dashlane.
I both love and hate my moleskin <3
lendrimujina said:
Most password fields won't even accept Extended ASCII... let alone having the input not being compatible with mobile devices.2FA scares me because of my personal experiences. If your device is damaged in some way, which is often not something that's predictable, you're screwed. I know because it's happened to me before. Lost my Discord account that way.
Yeah, it's why they compromised on RSA keys just needing a passphrase. Ease of use. Because Smartcards (before TPM) were not exactly the most convenient way, and to do them right, you don't directly use the main certificate. You're effectively your own CA and issue them for each device, unless you go all proprietary, and oops, lost the (physical) key, and better have a spare Yubikey to get back in. XD Note: Some of the best innovation has been making this all more ubiquitous. Just backup your root key protected with a passphrase, somewhere, and then generate unlimited device keys. Hell, you can do this entirely offline, blackbox-style.
Discord account signup is even harder on a new account than key recovery (joke, but they surely suck). It's why it pisses me off when people go behind registration wall on the tallest-walled garden, ever, while looking at me like I'm the sucker.
I agree that Authy is probably a bad idea, for mostly the mentioned reasons.
votp said:
Here's a password generation solution; Faceroll.No, that's not a programme, pop a notepad open and roll your face across the keyboard like you're trying to summon Yog-Sothoth, then physically write down on a post-it note or in a book that generated password before using it.
LOL, or use PuTTYGen or other entropy catcher and just use at least 16 of the characters it generates for your base64-encoded key. ;)
Online password managers seem like they could be secure if just storing an encrypted copy that is useless without your passphrase and key, but I've heard horror stories of sites losing millions of passwords so they can't all be doing that.
alphamule said:
Yeah, it's why they compromised on RSA keys just needing a passphrase. Ease of use. Because Smartcards (before TPM) were not exactly the most convenient way, and to do them right, you don't directly use the main certificate. You're effectively your own CA and issue them for each device, unless you go all proprietary, and oops, lost the (physical) key, and better have a spare Yubikey to get back in. XD Note: Some of the best innovation has been making this all more ubiquitous. Just backup your root key protected with a passphrase, somewhere, and then generate unlimited device keys. Hell, you can do this entirely offline, blackbox-style.Discord account signup is even harder on a new account than key recovery (joke, but they surely suck). It's why it pisses me off when people go behind registration wall on the tallest-walled garden, ever, while looking at me like I'm the sucker.
I agree that Authy is probably a bad idea, for mostly the mentioned reasons.
LOL, or use PuTTYGen or other entropy catcher and just use at least 16 of the characters it generates for your base64-encoded key. ;)
Online password managers seem like they could be secure if just storing an encrypted copy that is useless without your passphrase and key, but I've heard horror stories of sites losing millions of passwords so they can't all be doing that.
I still find the idea of taking something that, the only purpose of is to stop other people somewhere else from using it, and putting it where those other people can get at it, insane. I'm not worried about anyone in my house rifling through my codebook and popping into my browser to figure out what the abbreviations refer to, maybe I'm just a grumpy old fuck.
votp said:
I still find the idea of taking something that, the only purpose of is to stop other people somewhere else from using it, and putting it where those other people can get at it, insane. I'm not worried about anyone in my house rifling through my codebook and popping into my browser to figure out what the abbreviations refer to, maybe I'm just a grumpy old fuck.
Housefires happen, but yeah. I used to just keep a list for all of them and then memorize say, an 8-character additional code to keep typing at the end. It would be trolling to call that 2FA? After all, I'd still need the notepad in addition to the thing I memorized. :D
bacup, n. A northern method of backing up your computer, which basically involves writing down everything that's on it. ~ Liff Sentence
I wasn't aware of any of this until I later came back to browse the site on the first of this month. I changed my password immediately and nothing seemed to have happened to me. (At least to my knowledge.) I was originally very nervous about creating an E621 account due to issues like these happening, but so far, it seems that I'm safe? And hopefully it stays that way.
talk1ng-sheep1sh said:
I wasn't aware of any of this until I later came back to browse the site on the first of this month. I changed my password immediately and nothing seemed to have happened to me. (At least to my knowledge.) I was originally very nervous about creating an E621 account due to issues like these happening, but so far, it seems that I'm safe? And hopefully it stays that way.
this all happened on the first of the month.
it does not appear to be a breach of the site at all but rather a mass hijacking of accounts with unsecure or compromised passwords.
Oh, I see. Well that explains why I was fine. My passwords are all unique and I do the best I can to make them harder (Obviously not impossible) to crack.
dba_afish said:
it does not appear to be a breach of the site at all but rather a mass hijacking of accounts with unsecure or compromised passwords.
As it goes people store up passwords from various breaches, find matching usernames, then throw everything at the wall to see what sticks
then afterwards everyone points at us and assumes it was the site that was hacked and not just malicious actors biding their time to cause as much damage as possible
I can personally say there hasn't been a breach in the nearly two years I've been here, each time some incident has happened it was compiled lists from other breaches
if we were actually breached we'd be required to disclose that (within 30 days I believe?)
from what google's told me in Texas if the PII of at least 250 people was exposed you have to report to the Attorney General as soon as possible but no later than 30 days, and there are other similar laws everywhere else
Businesses and organizations that experience a data breach affecting at least 250 Texans must:
- Report the breach to the Office of the Texas Attorney General (.gov)
- as soon as possible, but no later than 30 days after discovery
- Notify affected consumers of the breach
Other states
All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have laws requiring private businesses and, in most states, governmental entities to notify individuals of security breaches
Would placing a captcha test at the login page significantly hinder future attacks like this?
I feel it would at least prevent trolls from using scripts to mass login into compromised accounts all at once.
I'd prefer Cloudflare's Captcha over Google's ReCaptcha. (Looking at you, Furaffinity)
thegreatwolfgang said:
Would placing a captcha test at the login page significantly hinder future attacks like this?
I feel it would at least prevent trolls from using scripts to mass login into compromised accounts all at once.
do capchas even work anymore? either way, that only slows down the logging in, once the accounts are logged in they still can make just as much of a mess before being caught at they would otherwise.
I'm not really sure what kind of contingency could be implemented to mitigate something like this in the future, though. we could try to create stricter limits, say like 2 threads per hour, 6 blips, or whatever, but a mass of compromised accounts means that they can more or less bypass any per account limits that could be set...
global limits, maybe? I mean, it's unlikely we'd have more than like a dozen forum threads, and 32 blips, created per hour in non-malicious situations. although that might also lead to multiple smaller bursts of malicious spam over a much longer period.
I'll make a suggestion along the lines of xkcd 936 - a password consisting of a series of random words.
For sites that allow it, I generally create a nonsensical sentence and then modify some spellings and letters to make it even harder to guess at. I also don't reuse these passwords across multiple websites.
bongani said:
I'll make a suggestion along the lines of xkcd 936 - a password consisting of a series of random words.For sites that allow it, I generally create a nonsensical sentence and then modify some spellings and letters to make it even harder to guess at. I also don't reuse these passwords across multiple websites.
At that point just use a password manager and truly random passwords
You don't need to remember it if you just use a password manager, and good luck remembering those substitutions
if they're common they'll just end up being gotten by a typical dictionary attack
dba_afish said:
do capchas even work anymore? either way, that only slows down the logging in, once the accounts are logged in they still can make just as much of a mess before being caught at they would otherwise.
Forgive me if I sound uninformed, but wouldn't logging into hundreds of accounts (and solving captcha) from a single IP trigger some kind of flag?
Alternatively, if they were using multiple VPNs, wouldn't that be much worse considering that IPs are shared between other VPN users?
I'd imagine it would be much harder to solve captchas while using a VPN.
thegreatwolfgang said:
Forgive me if I sound uninformed, but wouldn't logging into hundreds of accounts (and solving captcha) from a single IP trigger some kind of flag?Alternatively, if they were using multiple VPNs, wouldn't that be much worse considering that IPs are shared between other VPN users?
I'd imagine it would be much harder to solve captchas while using a VPN.
if they logged in all from the same IP they could've just been ipbanned. from what I understand, this attack was distributed across multiple IPs.
also, I believe that there are already a lot of common VPNs and Tor exit nodes which are blocked or restricted generally.
dba_afish said:
if they logged in all from the same IP they could've just been ipbanned. from what I understand, this attack was distributed across multiple IPs.also, I believe that there are already a lot of common VPNs and Tor exit nodes which are blocked or restricted generally.
Former tor user- yeah, you're gonna get logged out every few pages because a lot of tor-associated ips are outright blocked lol.
donovan_dmc said:
At that point just use a password manager and truly random passwords
You don't need to remember it if you just use a password manager, and good luck remembering those substitutions
if they're common they'll just end up being gotten by a typical dictionary attack
Password managers are increasingly-tempting targets for attack for the simple purpose that one simple point of failure means a lot of people are going to get a lot of their stuff compromised.
Better to keep my passwords as off-my-device as possible.
bongani said:
Password managers are increasingly-tempting targets for attack for the simple purpose that one simple point of failure means a lot of people are going to get a lot of their stuff compromised.
And with good enough encryption, they're still just gonna be left to brute forcing, in which case the 32 character randomly generated passwords they give you will take longer than they'll be alive to hack you.
bongani said:
Password managers are increasingly-tempting targets for attack for the simple purpose that one simple point of failure means a lot of people are going to get a lot of their stuff compromised.Better to keep my passwords as off-my-device as possible.
If you're a high value target planning on living for a couple million years then yeah, an online password manager probably isn't the best idea
If you're really that paranoid just self host your own
I self host a https://psono.com instance (not because I'm paranoid, because it's free)
Doesn't even need to be accessible outside of your home network, mine sure isn't
talk1ng-sheep1sh said:
I wasn't aware of any of this until I later came back to browse the site on the first of this month. I changed my password immediately and nothing seemed to have happened to me. (At least to my knowledge.) I was originally very nervous about creating an E621 account due to issues like these happening, but so far, it seems that I'm safe? And hopefully it stays that way.
LOL, don't reuse passwords, amirite?
talk1ng-sheep1sh said:
Oh, I see. Well that explains why I was fine. My passwords are all unique and I do the best I can to make them harder (Obviously not impossible) to crack.
:P
thegreatwolfgang said:
Would placing a captcha test at the login page significantly hinder future attacks like this?
I feel it would at least prevent trolls from using scripts to mass login into compromised accounts all at once.
Not appreciably. It sounds like they were testing these accounts over months, and captcha can be guessed reliably by machines, now. :( The solution some people have used is to compile a list of known compromised passwords, and then test them, themselves. Basically, someone working at a company IT security cracking their own passwords to see if some one choose a bad password. This practice made it clear that password 'complexity' is nonsense, other than length and REUSE. Also, that you can effectively treat passwords as same entropy as random base 64 (as in, no more than 6 bits per character if mixed case plus numbers). Basic arithmetic shows that 5 bits (roughly same as a...z, 0...9, no mixed case, AKA Base 36) is not appreciably any different with 16-character passwords.
The 30-day rule is just common sense. Ideally, you'd report it immediately after locking the accounts... like just happened. Having to actually have a law for it is lulzy, but some companies suck so here we are.
It feels like the FA captcha thing was set to overly-paranoid, expires logins, etc. Pixiv does their own thing that's similar. It feels stupid when you already have the previous cookie, the password, AND the same IP address and browser. I mean, if you're pwnd that bad, nothing can help you as an end-user. XD It's doubly so when I have a unique and long password at FA. You'll notice that banks, email, VPS and other critical sites keep track of 'devices', usually.
There's this concept called spraying where you use hundreds of IP addresses or over a long period of time for many many sites, to test them. Yeah, no way they tried it from one address for this site, specifically.
Hilariously, you could actually print out on a billboard your passphrase-protected password database file, and be perfectly fine unless you got extremely unlucky. I mean, you could literally post it on social media sites. But if you choose poorly or they win the password lottery and guess many characters in-a-row, hurts to be future you!