GMail Hacked--Passwords "Released" by Hackers

RogerB

Crusader
For your guys who have GMail and/or other Google stuff you don't want out and about You'll need to know this . . .

Screw Google: they are now relegated to being about as reliable and responsible for their customers as the Kult . . . .

This below sent to me by WordPress where I have accounts, etc., NOT Google.

Google has not alerted me at all . . . This received this morning.

[h=2]New post on WordPress.com News[/h]
blavatar-default.png
This week, a group of hackers released a list of about 5 million Gmail addresses and passwords. This list was not generated as a result of an exploit of WordPress.com, but since a number of emails on the list matched email addresses associated with WordPress.com accounts, we took steps to protect our users.
We downloaded the list, compared it to our user database, and proactively reset over 100,000 accounts for which the password given in the list matched the WordPress.com password. We also sent email notification of the password reset containing instructions for regaining access to the account. Users who received the email were instructed to follow these steps:

  1. Go to WordPress.com.
  2. Click the “Login” button on the homepage.
  3. Click on the link “Lost your password?”
  4. Enter your WordPress.com username.
  5. Click the “Get New Password” button.
In general, it's very important that passwords be unique for each account. Using the same password on different web sites increases the risk of an account being hacked. Now would be a good time for all users to go through all online services and set distinct, strong passwords for each.
It's also a good idea to enhance account security by enabling two-step authentication on services that support the feature. Two-step authentication can be set up on WordPress.com by following these steps:

  1. Browse to WordPress.com.
  2. Hover over the user avatar at the top right of the screen.
  3. Click "Settings."
  4. Click "Security" from the submenu.
  5. Follow the instructions provided there.
We checked the accounts of 600,000 other WordPress.com users whose email addresses were included in the list. Since these users were not immediately vulnerable, we did not reset their passwords or send emails but will be enabling a notification in their dashboards so that they can assess the security of their passwords at their leisure and with all of this information in hand.

 

Dulloldfart

Squirrel Extraordinaire
4 days ago I read an article about this, don't remember where but it wasn't obscure. It included a link to check if one's account was on it. I checked for a couple of my accounts and they weren't included, so I forgot about it.

Quite apart from the NSA and spook-associated agencies from various countries, it's pretty hard to trust that ANY of one's internet-related traffic is completely secure. I just accept it as a fact of life. I mean, if you live in New York there's a chance of getting mugged, but I doubt if that stops you (Rog) from walking outside.

Paul
 

Lone Star

Crusader
I had an interesting phishing attempt yesterday while online. All of a sudden I got a screen saying that my computer had been infested with a serious Trojan Virus and that I needed to call the toll free number on the screen. The screen had the Windows Security logo. It just still seemed very fishy to me. Oh, and there was even a voice reading the message over the speakers.

I chose to close it and I went to my firewall, which is Windows Defender, made sure it was updated and ran a scan. Nothing came up. I also ran a scan with my Comodo virus software. Nothing.

So it looks like the Ruskies are getting more and more creative! LOL...
 
Last edited:

Enthetan

Master of Disaster
My wife had a phone call a few days ago from somebody saying he was "Windows Security" and asking her to do some things to "check security". She hung up.

They called back when I was home, from a number which said "Bermuda" and it seemed to be a boiler-room type operation with people who barely speak english working from a script.

Something is going on.

Regarding the "Gmail leak", Mashable had an article with some good advice:

Should You Trust a Site to Check If Your Gmail Password Was Leaked?



In the wake of the latest leak involving 5 million Gmail addresses and (some) passwords, the advice was the same one we give in every situation like this: Change your password — especially if you re-use it on multiple services and websites.

But if you're checking to see if your email address and password is on the leaked list, beware of how you do it. You could get roped into another attack.

See also: The 25 Worst Passwords of 2013

In the frenzy to figure out whether this leak was very bad news — it wasn't as most passwords were old and not even Gmail ones — many people happily typed their email addresses into these sites. But, was that a good idea? Should we all trust a website (any website) with our email address just for the sake of checking if we have been hacked?

In this case, a website called IsLeaked was the most popular site that offered this service, and the one that pretty much every news story (including Mashable's) was pointing to.

Hours after it surfaced, James Watt, an IT professional, questioned the site's legitimacy by pointing out it had been created two days before the Gmail addresses leak. His main criticism missed the point. The site had been created after a similar leak earlier this week involving email addresses and passwords pertaining to Russian providers Yandex and Mail.Ru, according to IsLeaked's owner, who declined to give his or her name to Mashable.

But Watt stood by the main point he was trying to make.

"I strongly discourage giving your information to any third party that claims to check your security for you," he told Mashable.

The problem, he argued, is that you don't know who you're giving it to, and for all you know you might be sending your email to the same hackers who put out the list or someone else who is harvesting emails to sell them to spammers or get new, fresh email addresses to try to hack. Others on Reddit seemed to share his concern, and someone even created an open source "private" tool that checks the database of leaked emails without sending the address over to the site.

(snip)

In this case, Gmail actually said it forced the people whose password was indeed on the list ("less than 2%" of the 5 million), to reset their passwords. So there's actually no need to check if your email is on that list anymore. If you haven't heard from Google, you should be fine.


More at the link.

Personally, I use multiple email addresses. For web sites that demand an email address in order to allow you to register, I give them a throwaway address that I use only for such purposes, and for which I don't care if it's inundated with spam.
 

Dulloldfart

Squirrel Extraordinaire
It is now. I'd change your password if I were you.

You only have to give your email address, not the password too. I don't mind sending them or posting my gmail address because (1) it's given out willy-nilly with PaulsRobot and is easily verifiable as mine, and (2) Gmail does a *superb* job of filtering out spam. I get maybe 2 or 3 spam emails a week in my regular gmail inbox, which is *wonderful* compared to how it used to be and how it is with other email providers that I have (and rarely check).

Paul
 

RogerB

Crusader
Yes . . . my main reason for posting as I did apart from some here not being aware of the Russian Hackers offering the list out and about was, for me the interesting point that WordPress took the trouble a) to act and check on behalf of their clients and b) Google screwed up, ran for cover and alerted none of their "customers."

Guess who one can now see is nicer and more reliable and trustworthy.

I had seen the mention of the hacked list on offer a few days earlier in the print media . . . still no word from Google . . .

Doesn't worry me . . . I had to have a google email account in order to create my FaceBook page for my videos . . . and deal with some friends here in he days we were linking up on Google+ . . . .

My main email traffic is elsewhere.

R
 

shanic89

Patron Meritorious
Hay Roger the article you posted mentions that wordpress checked the leaked passwords against their user passwords. This would mean that wordpress user passwords are stored in plain text for them to be able to do this. That seems like total bullshit or incredible irresponsible, no one stores passwords in that manner anymore, if they do its insane. This seems like a scam of some sort.
 

RogerB

Crusader
Hay Roger the article you posted mentions that wordpress checked the leaked passwords against their user passwords. This would mean that wordpress user passwords are stored in plain text for them to be able to do this. That seems like total bullshit or incredible irresponsible, no one stores passwords in that manner anymore, if they do its insane. This seems like a scam of some sort.


Dunno . . . I admit to not being a techie . . . but I checked various ways to satisfy myself it was legit . . . . you can too. Note the live link direct to the WordPress website at the bottom.

Here's the entire email to me sans my personal address:



Inbox > Message Detail
Top of Form


Bottom of Form
Subject:
[New post] Gmail Password Leak Update
From:
"WordPress.com News" <[email protected]>(Add as Preferred Sender)
Date:Fri, Sep 12, 2014 8:28 pm
To:r******[email protected]******.com
Respond to this post by replying above this line



New post on WordPress.com News
C:\Users\Roger\AppData\Local\Temp\msohtmlclip1\01\clip_image002.png

This week, a group of hackers released a list of about 5 million Gmail addresses and passwords. This list was not generated as a result of an exploit of WordPress.com, but since a number of emails on the list matched email addresses associated with WordPress.com accounts, we took steps to protect our users.
We downloaded the list, compared it to our user database, and proactively reset over 100,000 accounts for which the password given in the list matched the WordPress.com password. We also sent email notification of the password reset containing instructions for regaining access to the account. Users who received the email were instructed to follow these steps:
1. Go to WordPress.com.
2. Click the “Login” button on the homepage.
3. Click on the link “Lost your password?”
4. Enter your WordPress.com username.
5. Click the “Get New Password” button.
In general, it's very important that passwords be unique for each account. Using the same password on different web sites increases the risk of an account being hacked. Now would be a good time for all users to go through all online services and set distinct, strong passwords for each.
It's also a good idea to enhance account security by enabling two-step authentication on services that support the feature. Two-step authentication can be set up on WordPress.com by following these steps:
1. Browse to WordPress.com.
2. Hover over the user avatar at the top right of the screen.
3. Click "Settings."
4. Click "Security" from the submenu.
5. Follow the instructions provided there.
We checked the accounts of 600,000 other WordPress.com users whose email addresses were included in the list. Since these users were not immediately vulnerable, we did not reset their passwords or send emails but will be enabling a notification in their dashboards so that they can assess the security of their passwords at their leisure and with all of this information in hand.
Daryl L. L. Houston | September 12, 2014 at 11:53 pm | Tags: security | Categories: Notifications, Security | URL: http://wp.me/pf2B5-7rx

***** to no longer receive posts from WordPress.com News.
Change your email settings at ******.
Trouble clicking? Copy and paste this URL into your browser:
http://en.blog.wordpress.com/2014/09/12/gmail-password-leak-update/



 

strativarius

Inveterate gnashnab & snoutband
Hay Roger the article you posted mentions that wordpress checked the leaked passwords against their user passwords. This would mean that wordpress user passwords are stored in plain text for them to be able to do this. That seems like total bullshit or incredible irresponsible, no one stores passwords in that manner anymore, if they do its insane. This seems like a scam of some sort.
This subject came up a few weeks back. I suppose it depends on what you mean by 'plain text'. Unix/Linux passwords (and it's reasonable to suppose that Wordpress uses Linux servers) are stored on plain text files readable by any text editor like notepad, in a file called /etc/shadow, but that is an encrypted version of the password.
 

shanic89

Patron Meritorious
This subject came up a few weeks back. I suppose it depends on what you mean by 'plain text'. Unix/Linux passwords (and it's reasonable to suppose that Wordpress uses Linux servers) are stored on plain text files readable by any text editor like notepad, in a file called /etc/shadow, but that is an encrypted version of the password.

I would imagine that wordpress passwords are stored in a database, not a text file. Logging on to wordpress would bring their servers to a screaming halt if millions of searches on a text file had to be made to retrieve a passwords/username combination.

My understanding is, what was released was a list of gmail account names with readable passwords associated with each account name. This would enable a person who down loads the list to sign into the email account itself. So to be able to match a password to an account an admin would have to be able to retrieve his/her users passwords, good business practices should make this impossible to do. The only other way would be for the admin to attempt to sign into accounts, this also should be a big no no. Here we are talking about wordpress matching passwords of their users against a list of leaked passwords, so I'm guessing they have a access to their user passwords, just does not seem right to me.
 

MrNobody

Who needs merits?
This subject came up a few weeks back. I suppose it depends on what you mean by 'plain text'. Unix/Linux passwords (and it's reasonable to suppose that Wordpress uses Linux servers) are stored on plain text files readable by any text editor like notepad, in a file called /etc/shadow, but that is an encrypted version of the password.

It won't even be necessary to decode and read /etc/passwd or /etc/shadow.

Raw script draft:
1 Fetch username and password from ASCII file (1 name and password per line) and send it to Wordpress login screen.
2 If Login=successful (send auto-email to affected user)
3 while not EOF goto 1

All in all with all the extras, that'd still be less than 20 lines of code. Less than 5 minutes of work for any decent programmer and nobody would have to decode and read any confidential user data.

Might be hard from the outside, but should be a piece of cake for any programmer who legitimately works for Wordpress - or for Googlemail, for that matter.

Of course that script would work with ANY username/password so it might be smart to change one's password to a good and strong one anyway.

EDIT:
Of course there's a huge bug in my draft, but any programmer worth their salt would spot that one right away. :biggrin:
 

strativarius

Inveterate gnashnab & snoutband
I would imagine that [highlight]wordpress passwords are stored in a database[/highlight], not a text file. Logging on to wordpress would bring their servers to a screaming halt if millions of searches on a text file had to be made to retrieve a passwords/username combination.

My understanding is, what was released was a list of gmail account names with readable passwords associated with each account name. This would enable a person who down loads the list to sign into the email account itself. So to be able to match a password to an account an admin would have to be able to retrieve his/her users passwords, good business practices should make this impossible to do. The only other way would be for the admin to attempt to sign into accounts, this also should be a big no no. Here we are talking about wordpress matching passwords of their users against a list of leaked passwords, so I'm guessing they have a access to their user passwords, just does not seem right to me.
Yes, I've just Googled the subject of Wordpress briefly and saw mention of MySql. (I've got MySql on my Linux system here.) I agree it's odd that they should be able to see their users passwords.
 

Claire Swazey

Spokeshole, fence sitter
I had an interesting phishing attempt yesterday while online. All of a sudden I got a screen saying that my computer had been infested with a serious Trojan Virus and that I needed to call the toll free number on the screen. The screen had the Windows Security logo. It just still seemed very fishy to me. Oh, and there was even a voice reading the message over the speakers.

I chose to close it and I went to my firewall, which is Windows Defender, made sure it was updated and ran a scan. Nothing came up. I also ran a scan with my Comodo virus software. Nothing.

So it looks like the Ruskies are getting more and more creative! LOL...

I had, where I worked, this thing that popped up going blah blah FBI, blah blah child abuse, with DRUG STORE LOGOS on the bottom, demanding 200.00. I told IT and they wiped my computer clean. Was a virus. Came home, told John, and a couple months later came up on our computer at home. Told a friend about it and he'd heard of it. Scam, of course.

Lately, we've been getting calls- sometimes several times a day- from India or somewhere like that- saying the caller is from "Windows" and blah blah your computer, blah blah. What they want is remote access, probably to get financial and other data, I guess, right?

Last week they called at 6:55 a.m. on a Saturday (grrr!) and called me sir. We do not have caller ID on our landline. Dickweeds!!

We've done various things. Claimed we don't have a computer, claimed we have Linux. John likes to just set the phone down quietly without disconnecting it and walk away.

We also sometimes get calls from some auto warranty thing, also with Indian accents and crap like that. But the "Windows" ones are the main ones. If they get our voicemail, as is usually the case, they just hang up.

I heard of a few people who just kept them on the line to fuck with them. One guy, though, foolishly LET THEM IN to his computer and was fucking with them. They figured it out and wiped all his personal data in revenge. Why the hell would anyone want to take that kind of risk?

Though, I will say this, the Anus Laptops thing was uber successful!!! Google it sometime. You will laugh your asses off.
 

Kemist

Patron with Honors
My wife had a phone call a few days ago from somebody saying he was "Windows Security" and asking her to do some things to "check security". She hung up.

They called back when I was home, from a number which said "Bermuda" and it seemed to be a boiler-room type operation with people who barely speak english working from a script.

Something is going on.

Guy with a thick indian accent, with other voices in the background who asks about your windows computer that supposedly "sends files" to their server ?

I got two such calls, and have friends who got them too. If you continue the call, guy gets impatient and tries to bully you into doing what he wants.

If you get tired of playing with them, just tell them all your computers run on Linux. They will hang up very fast.
 
Top