At least two members have had their accounts hacked. Proceed with caution. Verify identity, and if a deal is too good to be true, it is.

Fuckers!

If you have a gmail account you use for your forum account, CHANGE YOUR PASSWORD, to a strong, complex password.

If you're buying anything in Classifieds right now, insist on a phone call with the seller.

Done. I'm really sorry guys. I hate that my account was used for this .

The systems/database hackers are getting better, the software people that make the stuff that gets hacked apparently are not (and neither are the end-users), so, much like the forced transition to HTTPS-only, I see the day fast approaching where the only safe way to maintain any on-line account is with two-factor authentication (2FA) using TOTP/HOTP, with an app such as Google Authenticator or 2FAs.

(I'm currently using 2FAs for 2FA for every on-line account I have that supports it.)

Well, I am now back. Like '92fstech', I too am sorry for the hassle this incident may have caused anyone here. I appears it was my SIGforum account that was hacked, but I'm now changing passwords EVERYWHERE as a precaution!

Para - Thank you for all your help, and EVERYTHING you do!

If I have to guess in this case they probably brute forced my overly simplistic forum password. I haven't accessed the forum or my email from any untrusted devices or networks, and my Gmail account is set up for 2FA and has more of a "passparagraph" than a password. I changed it this morning anyway just to be safe, along with my forum pwd.

My forum account pwd was pretty basic and likely hadn't changed since I set my account up almost 20 years ago. I wasn't super worried about it because it's not tied to any personal info or financials ...heck, I rarely even use the classifieds here. The only reason I caught it this morning was because I used the link in my profile to check recent posts in case there has been any new conversation overnight, and then saw the posts in the classifieds that I knew I hadn't made. I guess I didn't thoroughly consider the scenario that somebody might hack my account with the intent of using it to defraud other people .

Don't be like me, guys...update your passwords.

It may be helpful to describe how 92fstech's password was compromised, and where (Para's post implies Google/GMail).

Was it a protocol-based attack against the relevant password store (as ensigmatic's post implies) or an interception/guess/brute force/re-use? If the former, password complexity is no defense, and we should all assume that our password are known.

2FA is not without its shortcomings, and can certainly be inconvenient. I would favor public/private key exchange over 2FA although usable implementations have eluded most software developers, and there is the issue of general implementation to get past (everybody has to start using it about the same time). There exist various One-Time Password mechanisms like those listed above and the venerable S/KEY, that can be integrated into the ubiquitous mobile phone deployment that could make a quick revolution to the security environment.

As agentic AI's get more involved in penetrating systems, and communications, maintaining a secure presence on the Internet will get many levels of magnitude more difficult and chancy. Pretty soon we may all be working in an environment where nothing is known for certain, and however hard we try to stay inviolate, we have little chance of success.

Done, appreciate the update.

Damn I wondered why a seasoned member like 92 was spamming the classifieds.
Glad it was shut down and hope no one lost money.

Updated my password just as a precaution. Don't actually know what my old pwd was, now it's more in line with the complexity of my others.

Not to sound like a dip shit but where do you update your password. I don't see that option in the profile section, or preferences?

quote:

Originally posted by Timdogg6:
Not to sound like a dip shit but where do you update your password. I don't see that option in the profile section, or preferences?

Open Profile
Select View/Edit Complete Profile in top right
Click Box to Change Password
Change Password
Write it down so you don't forget it!
Save it.

GMAIL users, set two-factor authentication (2FA) active on your GMAIL/Google accounts in addition to changing and using strong passwords.

Thank you Para

quote:

Originally posted by sigmonkey:
GMAIL users, set two-factor authentication (2FA) active on your GMAIL/Google accounts in addition to changing and using strong passwords.

For those who have (relatively modern) smartphones I strongly recommend using TOTP/HOTP 2FA such as supported by Google Authenticator or 2FAs (which is what I use). It's far superior to SMS/MMS 2FA in every way.

The iThings 2FAs app will sync your tokens between your iThings mobile devices and has an Apple Watch applet, which makes it even more convenient.

And, as I've said many, many, many times here in the past: Everybody should be:

• Using a separate password/pass-phrase for every site
  
• Using "tagged" (aka: "plussed") email addresses when possible (see below)
  
• Using a password safe (aka: "electronic keyring") to store everything, incl. site URLs.

For a discussion on why you should be using tagged email addresses, please see: Tagged Email Addresses

Poor, sloppy Internet hygiene/behavior is likely to come back to bite you.

quote:

For those who have (relatively modern) smartphones I strongly recommend using TOTP/HOTP 2FA such as supported by Google Authenticator or 2FAs (which is what I use). It's far superior to SMS/MMS 2FA in every way.

I can only guess that many are like me that don't have a clue what all that means.

My windows PC and my android phone are both now using 2FA. I went ahead and changed my gmail password since it has been a minute.

quote:

Originally posted by gjgalligan:

quote:

For those who have (relatively modern) smartphones I strongly recommend using TOTP/HOTP 2FA such as supported by Google Authenticator or 2FAs (which is what I use). It's far superior to SMS/MMS 2FA in every way.

I can only guess that many are like me that don't have a clue what all that means.

Sorry about that

TOTP: Time-based One Time Password
HOTP: HMAC-based One Time Password (HMAC: Hash-based Message Authentication Code)
2FA: Two-Factor Authentication
SMS: Short Message Service (text-only text messaging)
MMS: Multimedia Messaging Service (text, image, video, and audio clip "text" messaging)

You really don't need to know what TOTP and HOTP are, much less understand them, to use them. (I probably should've just left those acronyms out entirely.)

So what happens with TOTP/HOTP authenticators like Google Authenticator and 2FAs {*} is:

• You get a unique code from the site that's stashed in your authenticator app's little database.
  
• A rolling code specific to your account is generated every X amount of time (usually every 30 seconds).
  
• That rolling code is synchronized between the app and the server.
  
• When you're challenged for that code: You enter whatever the app's showing for that time period and the server checks to make sure it's what it should be.

It's superior to text-message 2FA because:

• While text messaging is more secure than it used to be much of the time, it is still not regarded a secure messaging platform.
  
• Text messaging is transported/delivered on a "best effort" basis. That means it's not guaranteed.

Both of these arguments apply to email, though email is, or can be, a more reliable transport than SMS/MMS.

{*} Microsoft also has an authenticator. I do not recommend it unless you have to use it because I am informed that, in typical Microsoft fashion, it's almost, but not quite, standard.

This message has been edited. Last edited by: ensigmatic,

Welcome back ensigmatic - it’s been a few months.