I had my gmail account hacked yesterday, and it sent out a link to what was apparently Viagra spam to everyone on my contact list. I’ve changed my password on that account. But I use that same password for any number of other accounts and applications, and I’m wondering if I need to change the password for all of those as well. As I see it, there are two issues:
Do these hackers know the passwords, or do they use software that bypasses it?
Does the hacker have any way of connecting the person behind this gmail account with any of the other accounts/applications?
There are lots of ways to get passwords – by cracking them, or by getting people to tell them to you. A password is needed, but software can guess most passwords.
Hard to say. If there are obvious similarities, they may try it (e.g., realitychuck@gmail.com and realitychuck@hotmail.com). But it’d be fishing; I’m not sure it’s worth their time to try it.
WAG: They may try common sites such as larger banking / credit card sites, using your gmail account, and see if that password just happens to work there as well.
They may have scanned your account as well to look for emails from other such businesses, to better target their efforts.
Of course, they might have just been intending to send spam, but who knows.
Personally, I’d change the other stuff as well just to be on the safe side.
This is, I believe, why it’s not recommended to use the same password everywhere (and like you I’m somewhat guilty of that). I recently got a password vault tool and am gradually recording everything in that and changing individual passwords as I think of them. Of course it’s annoying to have to switch, say, “MamaZ@ppa” to “R$^43@” especially when I need to retype those passwords on occasion… but it seems safer anyway.
They could have used a virus to get your password weeks before they actually used your email. Better to be safe than sorry. AVG has a free virus scanner, if you don’t already have one.
You need to change all your passwords. The hacker had access to your inbox and may have downloaded all your messages. Some websites (like facebook) have logins which are email/password. Other websites may have emailed you your signup information which contains your userid.
Your email password should be unique from all other passwords. The main reason is that you freely sign up on other websites which require your email. Any of those sysadmins could look into your account, get your email, and try to log in with the password you used on their site. For instance, a SDMB database admin could get the password you use here and attempt to log in to your email account.
Your computer was not used to send the emails. A zombie computer in some foreign country logged into gmail with your password and sent it out.
Sorry, I was referring to the admins who have access to the data at a file or database level, not necessarily the forum moderators. Even if you, Gary, can’t get the info, the server admin who is able to access the database and vB code may be able to decode the password.
One possibility is crooked programmers. One or more people who work on the website get the data and do bad things with it.
Another possibility is that the website’s server gets a virus. That virus could monitor the login data or take the login database.
In any case, there’s a number of ways your email/password used on website X can be stolen. The key is to limit what they can do with that bit of information.
Are you sure your account was hacked? Do these emails show up in your “sent” folder? It could just be a case of someone “spoofing” your account to make it look like you sent the emails.
I don’t know about vBulletin, but the best password systems use your password as the encryption key for your password. I always thought it was quite brilliant.
Assuming, of course, that there’s no way to make the equivalent of a square root function…
There is a plug-in for firefox that you can use on any machine that has firefox called lastpass. This will not only generate unique passords for you, but will keep track of them and (if you so specify) autofill or autolog you in. It also rmembers form data and lets you create a profile for each site.
The only downside is that if you use a machine with a key logger on it, your lastpass password can be stolen.
The way around this is to get a Yubi key. This is a small USB dongle that you plug into the USB port of any machine. When prompted for your password in last pass, you touch the dongle and it sends and encrypted string that lastpass recognizes.
So even if you’re traveling and using insecure machines, you’re still covered.
edit - for machines that don’t have firefox, there is a portable version of firefox that you can install to a usb thumb drive, so even in that case you will be able to use last pass.
LastPass is properly a desktop application, not a Firefox plugin. When you install the desktop application it will automatically search your computer for any passwords that are stored “in the open” (such as passwords saved by IE, Firefox, or Chrome), it will use those password stores to populate its own store. It then offers to destroy the IE/Firefox/Chrome password stores so that you no longer have unencrypted passwords on your drives.
When you install LastPass it will automatically install add-ins/plugins for IE/Chrome/Firefox if you have those browsers installed. I’m not sure about Safari and I know it can’t install anything for Opera because Opera is hard coded against add ons/extensions of any kind.
My gmail account was accessed from China a few months ago. It sent me into paranoia mode because with a little bit of effort expended you could easily get a ton of information on me from my gmail account (because I have a lot of “received” messages in gmail from online banking sites and other such things.) It looks like in my case all that happened was someone in China accessed my account through POP3 to use my email address for mass email spam. Looking in my sent messages I had 60-70 phishing emails that had been sent out from my account.
I adopted LastPass after that. Initially my concern with LastPass was this: you give some third party all your passwords, and they store it on their servers. This means for them to fill a form and etc this information is being transmitted over the internet. However, after doing extensive research especially research into how passwords are actually stolen, it ends up that this method is actually far safer than storing passwords locally or typing your passwords in manually. Apparently simple keylogging software is one of the biggest “automated” means of password stealing, and since LastPass requires no physical keyboard input, it is totally protected from keyloggers.
LastPass does require the inputting of a “master password”, especially to access LastPass on a new machine. However, the software is nice in that it gives you the option of using an “on screen keyboard” to type in the master password. Since most keyloggers work off of the physical key inputs, the on screen keyboard protects you quite well.
When I was browsing LastPass’s forums they did mention that some malicious software will actually record a video feed of your screen, and that such a piece of malware would be able to get your master password via that route. There are also of course man in the middle attacks which could subvert the integrity of LastPass. But again, based on the statistics you’re a lot safer with LastPass than you are by keeping your passwords locally in a spreadsheet and using copy and paste or typing your passwords in manually.
