If a couple of your algorithmic passwords get leaked, attached to same email, then the algo could be guessed and you potentially lost all your accounts.
Thanks for posting this. The threat modeling in this thread feels very much out of wack with my personal experience. The thing that has lead to the most compromised accounts for myself is old, short, unchanged passwords on accounts I had forgotten that probably have been leaked.
Sure, but then you just log into your email and click a link and then you are in. Lots of sites do this and it would prevent this kind of attack in most cases. (assuming the leaked password was not also reused in email, but then you are in for an entirely different level of hurt anyways)
Arguably, this leak seems to have been the result of password reuse. If you store your data with millions of people and 200 employees have a way to access it, your are exposed to
1. An interesting phishing target for a hacker
2. Lots of employees who can fuck up, a hacker only needs one, one time
I'd say the probability you will be hacked is probably less if you use like a Synology with a reasonably strong password and automatic system updates.
Not being dense at all, it's a valid point, but crossing both leaks helps them find out quickly which logins and password combos to try at disqus, and which accounts will be compromised.
This. It's so valuable just to know how exposed you may be. I know a guy who missed a data leak and later got one of his accounts stolen. I think his Steam? It was way back in the day... For him, it was a cheap reminder to take passwords hygiene seriously. For someone else, it could have been a someone-took-out-a-line-of-credit-in-my-name reminder.
Maybe it's not such a big deal if someone hacks your account on one 'inconsequential' site, but what if they do it across 10, 20 'inconsequential' sites?
You may not give much away on one site, but combine all that data across multiple sites, and maybe I can start building a profile on you, identify you, impersonate you, steal your identity, etc.
First of all, this is extremely commonplace. You can go on Pastebin and find dumps like these easily at any given time.
Secondly, the way these leaks work is that attackers take a large list of leaked credentials from a generic dump from a hacked database. They then try each set of credentials against popular services like Netflix and Spotify. Usually, lots of attackers get the same accounts because they all use similar dumps and therefore get similar results. A lot of these lists of valid credentials end up on sites like Pastebin, and many are sold online as well. You can get cheap Netflix accounts for $1 or less easily on many hacker forums. Often, these accounts come with a warranty because many people who have obtained similar lists of accounts will change the credentials so they can keep individual accounts for themselves.
In conclusion, use unique passwords for every site, otherwise this could easily happen to you.
This. That was exactly a kind of vulnerability that is meant to be publicly disclosed. Nothing of matter will happen to anyone because of that vulnerability, but people might remember it and next time they'll think twice about how they handle authentication.
reply