My account has been hacked

Use this forum to get help.

My account has been hacked

Postby uther » Sun Dec 19, 2021 3:59 pm

Hello,

My account has been hacked. I received a mail who told me that my email has been changed. The password has also been changed. I can't connect any more.
How could I fix this problem ?
Can someone help me ?

Thank you in advance.

Best regards.
uther
 
Posts: 1
Joined: Sun Dec 19, 2021 3:54 pm

Re: My account has been hacked

Postby dingcrash » Sun Dec 19, 2021 4:37 pm

I have the same situation, forwarding address and password changed.
dingcrash
 
Posts: 2
Joined: Sun Dec 19, 2021 4:30 pm

Re: My account has been hacked

Postby Clewby » Mon Dec 20, 2021 9:54 pm

I don't there is anything that can be done, as a site administrator has no way of knowing if your email or forum posting is actually an attempt to gain unauthorised access to an account.

I suspect the best thing you can do is set up a new account as soon as possible, inform everyone of the change in your email address, and make sure you use a password that is not easy to guess, and make sure that you record it somewhere safe in case you forget it. You can check if a password you wish to use has been used elsewhere by using https://haveibeenpwned.com/, which despite the odd address is a legitimate website. Do check what I am saying is true by an independent source of information. Don't just take my word for it.
Clewby
 
Posts: 27
Joined: Mon Jun 13, 2011 4:48 pm

Re: My account has been hacked

Postby dingcrash » Mon Dec 20, 2021 11:36 pm

As a long time SG user (~15 years) it would be a disappointing outcome if that's the only solution, if only because it undermines SG's fundamental purpose which is to counteract email abuse. I would rather see my hacked account deleted than have it persist in an abused state.

As can be seen from this thread, there are two individuals whose accounts were compromised within a few minutes of each other, and surely this
can't be the first time it's happened and won't be the last.

I take the point about how to prove to be the legitimate owner of an account, but given that I was receiving email via SG up until a couple of days ago I can provide details of the state of most of the forwarding addresses created under the account, and also the forwarding address that it was changed to use. Whoever hacked it is unlikely to remove them since I assume they want to harvest my incoming emails. I appreciate that SG is a free service and dealing with this sort of thing is a pain. All I can do is apologize and follow the suggested course of action which is to request help here on the forum.
dingcrash
 
Posts: 2
Joined: Sun Dec 19, 2021 4:30 pm

Re: My account has been hacked

Postby C_D_ » Tue Dec 21, 2021 12:20 pm

Hi, my account has also been hacked. Received an email that protected address has been changed. Please look into the workflow of the authentication mechanism, because I had no confirmation email, just the notificaton that it had been changed.
C_D_
 
Posts: 1
Joined: Tue Dec 21, 2021 12:11 pm

Re: My account has been hacked

Postby pogue972 » Tue Dec 28, 2021 11:52 pm

Clewby wrote:I don't there is anything that can be done, as a site administrator has no way of knowing if your email or forum posting is actually an attempt to gain unauthorised access to an account.

I suspect the best thing you can do is set up a new account as soon as possible, inform everyone of the change in your email address, and make sure you use a password that is not easy to guess, and make sure that you record it somewhere safe in case you forget it. You can check if a password you wish to use has been used elsewhere by using https://haveibeenpwned.com/, which despite the odd address is a legitimate website. Do check what I am saying is true by an independent source of information. Don't just take my word for it.


You guys need to be using better, unguessable passwords. Also, DO NOT USE THE SAME PASSWORD HERE AS YOUR SPAMGOURMET ACCOUNT - THIS FORUM ALLOWS FOR PASSWORDS OF UP TO ONE HUNDRED CHARACTER PASSWORDS - USE THAT TO YOUR ADVANTAGE. Because of the likelihood that this version of phpBB is so old it's being exploited by hackers It's likely that if so many people are getting their account hacked, there has been a breach at SpamGourmet and we ALL should change our password ASAP!

I recommend using a 25 to 30 character password like one Roboform can create.

Image Thumbnail - Click to enlarge.

Roboform is an all in one password manager. It does cost money, but I've been using it for over 20 years and Roboform is the ONLY password manager company I am aware of that has not been hacked. This is because not only do they custom write the code to their password manager, but they wrote the code for their own web server and database out of fully custom code, so there's risk of it being exploited by zero days hacks on Apache, ngnix, or mySQL. They've been in business since 1999.

So, what they've done that's really cool recently is made it so it will have an extension in your browser and when you hover over your login/password information it will prompt to fill and submit it for you.

Image (Thumbnail - click to enlarge)

When you sign up for a new site it will prompt you to fill in a new password, then create a completely random password via a PRNG (pseudo random number generator), which is I assume is proprietary. I would set it as I have in the picture with as many characters as possible with A-Z, a-z, 0-9, !@#$%^&* and exclude similar characters.

What this will do is keep your password out of any dictionary files, which brute force hackers use to break into a an account. So, if your password is found in a dictionary in any language, expect to get hacked. They will also use tools like HashCat and Cain & Abel to do some serious searching that will look for numbers and letters appended to files in the dictionary or simple substitutions like "democracy" becomes "d3mocracy"

What else is cool is Roboform will do the exact same thing on your phone now (At least Android) and when it sees you come up to a screen in a website or app it will pop up with the buttons for automatically logging into the website.

And the absolutely GREAT thing about Roboform is all your passwords are stored in the cloud in AES encryption that not only Roboform knows, but you only have to remember ONE password and that is your master password. I would make this extensively hard but memorable to you. For example, if your favorite movie is The Avengers, you could make your password Th34v3ng3rs. I realize that is simple substitution, but you can do some neat tricks to extend the link of that password. For example, you could add 13 periods in front of the password so it would become ".............Th34v3ng3rs" and I GUARNTEE you that's not going to show up in any dictionary file or be guessed. You could put a bar in-between each letters so it becomes T|h|3|4|v|3|n|g|3|r|s. That's another one that's not going to show up in any dictionary files. You want to make your Master Password absolutely impenetrable as possible. There are countless other variations you could make based on what's easiest for you to remember. Because if you lose this password, there's no getting back into your account. Also make sure and take advantage of the 2FA feature in the app for maximum security.

You can set it to log you out under various circumstances, such as anytime the screen saver comes on (which a bit overkill, IMO, unless you're in public places a lot) or after a certain period of time, or if you put your PC to sleep. If you use this on a smartphone, you will also need a simple 4 digit pin number to access the account while you're still logged in to the account. I wish it allowed for 6 digits, but it only allows 4.

So, Roboform costs a little bit of money (there is a free version you can download, but it's severely limited in what it can do).

Right now, at the time of writing, there is a 30% discount on the software so you can buy 1 year for $16. (12/28/21)

If you use the link I posted, you get 6 months of usage for free. I'm not 100% clear if you can apply the holiday discount or not, but pick what works for you. If you buy Roboform Everywhere, you can put it on your PC, your phone, and then access it via other computers. You can do this by using the Chrome Extension (which also works for Chromium based browsers using Blink such as MS Edge, Brave & Opera.) There is also an extension for Firefox if that is your browser of choice. Both extensions are written by the mfg of the product, not some 3rd party or random user.

So, what I do when I sign up for a brand new website is I choose an email based on my SG parameters. For example, I decided to use watch words to avoid getting spam bombed by someone who didn't know this. Since you don't know what my username is on my account (no, it's not the same as my username here, I'm not that dumb).

Image Thumbnail click to enlarge.

So, in order for someone to email me and get through, they have to include one of those colors in my email. So, they would have to email something like color-nameofwebsite.myusername@spamgourmet.com. This is a bit of a paranoid feature. AFAIK, I've never seen anyone try to email without the color in the email, but there's only a log of the last 3 eaten emails, so who knows.

As of right now I have the following stats on my SG account:

"Your message stats: 11,452 forwarded, 100,236 eaten. You have 507 spamgourmet address(es)."Your message stats: 11,452 forwarded, 100,236 eaten. You have 507 spamgourmet address(es).

So, I am keeping the Spam Gourmet pretty full. But, I will use one of these email addresses, sometimes if it's sketchy site I might mark it red-websitename.3.username@spamgourmet.com so I'll only get 3 emails from that account before it stops forwarding the email. If I know the email are legit, I'll add them to my trusted sender list. Then, I either let Roboform generate a password for me to login to the website (some sites disallow characters like !@#$%^&*, so you'll have to manually generate a password without those, which is extremely simple. Just keep it long as possible).

Also, if you come to one of those websites that won't allow you to paste in your browser's username and password, try the extension Don't F*ck With Paste for Chromium/Blink browsers or the Firefox version which will allow you bypass these stupid anti-pasting measures.

Anyway, using this method has helped me evade SO many database breaches because they have a bogus email and a super secure password that wouldn't even help them if they cracked it, because I use a new email for every site I sign up for.

So there you have it ladies and gents. The BEST way to evade getting hacked, store your passwords on an AES encrypted cloud service with access anywhere you go, and use a Spamgourmet email to hide your identity from the site you're trying to sign up on.

I HIGHLY recommend this method to signing up for new websites. It's extremely effective and keeps you off https://haveibeenpwned.com/.
pogue972
 
Posts: 47
Joined: Thu May 23, 2013 4:31 am

Re: My account has been hacked

Postby michaeldlr » Mon Aug 01, 2022 12:09 am

To get your account restored you need to contact the admin team and let them to know the private information you had previously on the account, especially old email addresses. That needs to be sent direct to the admins.

Unfortunately direct admin contact is currently disabled unless you already know their addresses. I'm investigating how to handle this right now.
michaeldlr
 
Posts: 23
Joined: Sun Jul 10, 2016 5:57 pm


Return to Support / Hilfe / ayuda / ondersteuning / ...

Who is online

Users browsing this forum: No registered users and 2 guests

cron