Thread: O/T: internet security question (leaked details)
View Single Post
  #24   Report Post  
Posted to uk.d-i-y
Martin Brown[_2_] Martin Brown[_2_] is offline
external usenet poster
  
Posts: 1,449
Default O/T: internet security question (leaked details)
On 20/07/2020 05:59, Paul wrote:
wrote:
Five days ago, I placed an online order with a company that I have
used many times, over the years. It's an online supplier of vitamins
and nutritional supplements. My account with that company has login
details (email address and password) that I used to use for pretty
much everything, until various companies enforced changes, to improve
security.

Two days ago I got an email from Spotify, reporting a login from
Germany. I set up my Spotify account in 2012 and haven't used it since
then, so I was curious. On checking, the login email address and
password is the same old combo as for the vitamin co.

Yesterday I got an email from Amazon, warning of a new, suspicious
login. Sure enough, my Amazon account uses the old email address and
password (all registered credit cards recently expired, so no
possibility of rogue purchases).

In the small hours of this morning, I got an email from Netflix,
warning of a login in the USA. Same deal with email address and password.

Clearly, my old, well used email address and password combo has
somehow leaked out into the ether. The question is: how? I can't help
but notice the coincidence of my recent order with the vitamin company
and hot on the heels of that, rogue logins to various services. Does
anyone have a view on the most likely explanation? Could it be a
weakness in the vitamin company's systems/web page, dishonesty of an
employee at the company, or is it more likely to be something at my
end (e.g. keystroke logging malware)? I run Macaffee on my laptop and
use Google Chrome browser with Win 7.

Thanks. Ant.

Personally I don't trust McCaffee as far as I can throw it but YMMV.
Their main claim to fame seems to be large corporate discounts.

I think it's pretty safe to assume some aspect
of this "small company" website is compromised.

Although a keylogger on your home PC cannot be ruled out.
Malwarebytes is a pretty reliable zapper for such things.

We also don't know the integrity of the password used.

If it was Pa55w0rd or qwerty or in any dictionary then all bets are off.

Small companies rent everything. They can't even
rent a clue.

I generate long, random, password sequences for each
Internet account created. They're a pain to type in, but I
keep a stack of pieces of paper with the new ones
printed on it. Only one site had a security issue -
the company went bankrupt, and we heard later the
servers they had were sold without being sanitized.
(All the account info left the building intact,
destination unknown.)

If you're using the same password for all of them,
well, stop doing that :-) Or, uh... Oh. It already
happened.

It is never a good idea to use the same password login on multiple
sites. Sites vary massively in their ability to keep things securely.

At a minimum even on toy sites that insist you have a password include
two random words and the year you first opened it in between. A random
capitalisation (not the first letters) makes it a bit more secure and an
unusual character also helps. Beware when they "upgrade" software I have
had my choice of unusual password character declared illegal once.

Noddy sites get fairly weak passwords. Banks get high entropy rule based
passwords that even someone who has seen it written down will not be
able to remember unless they know the generating rule.

--
Regards,
Martin Brown
Reply With QuoteReply With Quote