Just got a not from Chrome saying that I had a data breach and it said it was from OzBargain.
I have changed my password so all OK.
Anyone else have this?
OzBargain Password Compromised
antonthenet on 04/11/2020 - 09:11
Last edited 04/11/2020 - 09:28 by 1 other user
Last edited 04/11/2020 - 09:28 by 1 other user
Comments
Maybe you're using the same user/password for many sites.
This is a very, very common problem in security called credential stuffing (taking a found password and trying it on ebay, twitter, pinterest, etc).
The best counter to this is to use a different password every site - which is pretty obvious but can be a pain to remember 20 passwords. If you hate password managers and absolutely resist change, just add a few characters based on the site name.
e.g. starting with: MyFavPass1!
- for ebay (last letter y, number of letters: 4) turns into MyFavPass1!y4
- for pinterest: MyFavPass!t9Systems like this are easy to remember and unless they have a few of your passwords (very rare) and care enough to try and look for password patterns (also rare unless you're a VIP), this will help a bit. You're better off with password managers+strong passwords and mutli-factor authentication though, especially for sensitive sites (banks, ebay if you're a seller, social media, etc.)
This is great, thank you!
Thank you. I have included this methodology in my password cracking engine, great insight.
Elements are probably already there in some. And if you play around with it a tiny bit (last two letters from the name instead of one, take the number of letters in the name and double it, put the letter/number at the start…) then that’s far more entropy than you can deal with in a reasonable amount of time.
The best solution is password managers and MFA.
This is purely an easy trick to tell your parents so the easiest of all passwords don’t get reused on all websites, mitigating some of the currently huge issue and teaching people to consider security a tiny bit more.
Keepass and a strong random password for every site.
Could be that another account has been compromised that you use the same password for Ozbargain. I can't see any breaches reported in haveIBeenPwned.
If Ozbargin was hacked it wouldn't been on haveIBeenPwned. It would take a couple of weeks as they have to either buy or download the database.
That's true, but I don't think Google would get the information that much faster. Google wouldn't get it instantly either.
Google didn't get a hold of the database. This was just OP's local password manager giving OP a warning.
@No Username: Probably a warning due to a breach of another service that he uses the same login details for, as I said. Unless Chrome is just chucking warnings these days (haven't used chrome in a couple of years so wouldn't know). I was just saying that nothing had come up on haveIBeenPwned.
Same password with Shopback?
Will Ozbargain need to explain how this hack happened or be hassled everyday by people demanding an explanation?
gee, not ozb
its because same pass has been used
Chrome's password breaches are based on the password itself being compromised somewhere, not based on the website.
Likely it was another site you use the same password with is the one that was compromised - I'm sure we'd have heard about it if OzB had a breach.
If it's the "Change your password" popup, read it carefully.
A data breach on a site or app exposed your password. Chrome recommends changing your password on <site> now.
Chrome is saying that your password is the same as one that has been exposed by a site, not necessarily this one.
Click on Settings > Auto Fill > Passwords (URL: chrome://settings/passwords ) to see all sites that could be 'compromised'.
Yeah, what happens is, there are security-oriented organisations that let you know if your email address and password were exposed by a data breach somewhere in the world.
Just recently, Chrome started checking these, it's a new feature: If you use the same password in many places, it lets you know that one of those places got hacked, so you can change it everywhere else.
These hacks are not a threat to you if you simply never re-use passwords.
But, since every useless website wants a password, and not all support the main sign-on providers like Google etc, password managers are a good solution.
And of course don't forget the most important trick: enable SMS authentication (MFA) on all your most important accounts.
My password is too strong, a mix of number and letters. No one has yet guessed “hunter2”.
not passw0rd ?
All i see is "*******"
Would be interesting to see if Covid19 pops up on any common passwords lists
Enable 2FA on Ozbargin (Link only works for OP)
https://www.ozbargain.com.au/user/39970/edit/security2FA can be enabled in Settings tab > Security
Haven't seen anything on our end, but with password stored on OzBargain
- It's bcrypt with multiple iterations
- Use 2FA for extra security
think your password is good? Test it here https://www.useapassphrase.com/
and another good site to see if your email addy has been part of a breach… https://haveibeenpwned.com/
Does https://www.useapassphrase.com/ keep your password with the I.P. address you checked it with? O^O
[EDIT] I checked, it ain't what I thought it was. D'Oh
My OzB password is auto-generated by Firefox, even I don't know the password myself.
Good news — no pwnage found! in haveibeenpwned
My Ozb Password is the most secured Password i have
if you tend to allow Chrome to save your passwords, then you can check with chrome and it will advice which sites you have used that compromised password, it
chrome://settings/passwords
It will list them at the top.
I had a bad habit of using the same password for gaming, and am pretty sure Fortnite (epic) got breached.
Then all of a sudden i had attempts at logging in all my gaming accounts.. My 2 step authentication stopped it but , its frightening.I now use a password generator , also use a authenticator app on my phone, but sometimes i find that annoying
Everyone knows 12345678 is uncrackable. Been using it for years. Twice as safe as “password”
49$@S5CO7Z7ia!9 is safe considering the current standards… I am a nice guy, so you can all use this password if you need to replace your 12345678 or something like that… :)
The best PW is INCORRECT.
Your computer will tell you that your PW is INCORRECT
Thanks for this info. I got that email today and didn't know what to do until I read the Chrome instructions on here. 2 passwords were breached 7 months ago according to Settings - password in Chrome.
nope