Kitchen Garden Forum

I have been sent a"sexploitation" email by a hacker and as far as my son can tell it came from Brazil.The worrying part that the password which I used on this site was quoted.This has since been changed.I have reported this email to the administators for their information and to check whether or not the server has been compromised.

This stuff is part of my day job, the data has been harvested from breaches, like BA, LinkedIn, Facebook, there are lists for sale in whole or part on the internet of hundreds of millions of email and password combinations. My personal details are in five breaches of; 153 million, 593 million, 164 million, "hundreds of millions", 66 million. My work email is in two, one containing billions of email addresses but no passwords and the other 711 million. My employers email domain has about 14,000 individual mail addresses floating around in various of these lists, mostly ex employees, many repeats and many not People but subject matter ([email protected]) addresses, for comparison we have about four thousand current email addresses and use them to communicate with Joe public and companies.

People are sadly a bit predictable about passwords and some VERY common mistakes are:

The commonest password used to be "Password".
Many systems come with default passwords and purchasers do not bother changing them.
People use the same password for everything, so if the Facebook password of Joe Bloggs is "Christmas" it's a fair bet that it is his password for email, twitter, KGforum, etc.
Many websites use your email as your login ID.
Never changing passwords, if a site they've used has been compromised they are often blissfully unaware, if they are aware they may change their password for that one site but not others.

The advice about random stuff with symbols and numbers in was sadly like the five a day advice a random idea based on some off target "common sense". To a computer a random bunch of characters is no more difficult to try than ones that are words. That said many automated crackers go by dictionary attacks, using massive lists of common passwords.

Modern advice is to check for disclosures, use a different password for each system, use pass phrases where the system can cope with them, change passwords regularly and to use a password safe.

Use:

https://haveibeenpwned.com to check for your email ID & password being harvested.
Different passwords on each site.
Anti Malware on your computing devices.
Common sense on emails, do not open any spam that makes it through your email providers defences, delete it or use any automated reporting provided. Your mate hasn't been mugged in Bengal, the company you've never heard of isn't billing you for stuff....
A password safe to hold those multiple passwords. I use KeePassDroid on my android phone, it links with the fingerprint security I use to unlock the phone and i have the password which is eighteen digits long written down in one secure place at home, the database is on the phone (backed up at work) and holds twenty-four different personal and work passwords.

Further reading look at the National Cyber Security Centre website https://www.ncsc.gov.uk and especially their advice aimed at citizens on https://www.cyberaware.gov.uk and their password advice at https://www.cyberaware.gov.uk/passwords

wow, that's a lot of useful info Peter. Thanks for taking the time and effort.

Blimey Peter!

Didn't understand most of it, but worrying, so will look at your suggested sites to check. I have suddenly been receiving lot's of e-mails in German, I thought some company may have sold my details so I just block them, but maybe not sold but trying to get in? Scary, I had my PayPal hacked 3 times so just deleted it in the end as very disappointed in their response to my notification.