WARNING: thefts due to password reuse
Posted: Wed May 31, 2017 8:55 am
I wanted to raise a warning today. Last night alone, we noticed six instances where customers who reused passwords from other sites have had money stolen from them.
The huge surge in these incidents indicates that some site has had its database breached recently. If the site was careless, then the plaintext passwords are probably being tried at other sites. If the site hashed the passwords, then a brute force attack is probably going on against the contents of the database to find which passwords the hashes correspond to. Studies show that in such cases, hackers can often obtain 60% or more of the passwords in a hacked database through brute force.
The criminals then try the found passwords at other sites. In this case, the scam seems to be that they log in, change the users' payout addresses, and then impersonate the customer and request a password reset after the owner figures out the scheme and changes them back.
So far, over $8000 has been stolen by the thieves at Prohashing alone. Fortunately, one of the thieves appears to have made a mistake which has allowed us to contact the police, but an arrest will not directly recover the funds, the victims will still have to pursue legal action to sue the attackers, and there may be no money left to recover.
All of this can be prevented by a single golden rule: never, under any circumstances, use the same password on two different websites. The "LastPass" software is quick, easy, and free to manage large numbers of unique uncrackable passwords. We strongly suggest that customers download LastPass, generate a new random password, and change their passwords to one of these randomly generated ones. Do this as soon as possible, because the attackers continue to target additional users every day.
----------------
Edited on June 1:
After some research I found that the source of these attacks may be Verizon Wireless. The cell phone provider will perform many customer service requests in exchange for information that is easily obtainable on the Internet, like billing address.
A customer, for example, can be targeted to switch a number to a new phone, which can then be used to validate SMS authentication at E-Mail providers, which can then be used to listen in on conversations with other people to deduce more information, and to reset passwords at other sites, and so on until enough information is obtained to steal money.
I'm not sure what can be done about that problem, as nobody has control over Verizon Wireless's customer service policies. However, using a unique password and LastPass would not be vulnerable, as long as the password was never transmitted to any other site or through E-Mail or text.
The huge surge in these incidents indicates that some site has had its database breached recently. If the site was careless, then the plaintext passwords are probably being tried at other sites. If the site hashed the passwords, then a brute force attack is probably going on against the contents of the database to find which passwords the hashes correspond to. Studies show that in such cases, hackers can often obtain 60% or more of the passwords in a hacked database through brute force.
The criminals then try the found passwords at other sites. In this case, the scam seems to be that they log in, change the users' payout addresses, and then impersonate the customer and request a password reset after the owner figures out the scheme and changes them back.
So far, over $8000 has been stolen by the thieves at Prohashing alone. Fortunately, one of the thieves appears to have made a mistake which has allowed us to contact the police, but an arrest will not directly recover the funds, the victims will still have to pursue legal action to sue the attackers, and there may be no money left to recover.
All of this can be prevented by a single golden rule: never, under any circumstances, use the same password on two different websites. The "LastPass" software is quick, easy, and free to manage large numbers of unique uncrackable passwords. We strongly suggest that customers download LastPass, generate a new random password, and change their passwords to one of these randomly generated ones. Do this as soon as possible, because the attackers continue to target additional users every day.
----------------
Edited on June 1:
After some research I found that the source of these attacks may be Verizon Wireless. The cell phone provider will perform many customer service requests in exchange for information that is easily obtainable on the Internet, like billing address.
A customer, for example, can be targeted to switch a number to a new phone, which can then be used to validate SMS authentication at E-Mail providers, which can then be used to listen in on conversations with other people to deduce more information, and to reset passwords at other sites, and so on until enough information is obtained to steal money.
I'm not sure what can be done about that problem, as nobody has control over Verizon Wireless's customer service policies. However, using a unique password and LastPass would not be vulnerable, as long as the password was never transmitted to any other site or through E-Mail or text.