how I caught a hacker trying to (or may have) hacked into 1 of my colleagues old accounts.
-
so uh,quick update...
alex's password, unfortunately, is still working.
if that is the case, I hope he still has 2FA on at least some of his account.
also, I decided to check haveibeenpwned and believe it or not, a password he had used was breached!!!!!!
i'm fucking upset that he will not change that password at all, even after confirming that it has been breached, almost 200 times btw.
something tells me that he either sent his password over an email address with that password, or that he sent it over an insecure page.
it makes me question weather he should have access to our stuff or not, i'm planning on revoking it.
if he's going to be that fuckin dumb about his security posture, I will not have someone like that on our team.
in fact, the passwords he uses, I find, are not secure, and even if not breached, can still be cracked just by talking to Alex, like a social engineering attack.
actually, I could get his password just by striking up a conversation with him about his favorite YouTuber, or favorite charactr, then generated a password list based off that alone.
at that point, SE is not even needed, because it's easy to do.
he's very opened about his favorite YouTuber, DaveMadson, who is apart of the logo bloopers community.this is why, as mentioned in FIDO2 support I think passkeys are the way to go. they would require actual stupidity or physical access to the device to get in, and they're more secure.
o and not to mention, if we still hado ur windows server, alex's enemies would've been able to get a hold of easily, even with all the security put in place.
now I don't think his security posture is good, and I don't wonna kick him off my team because he's the CFO and primary domain admin, but if it comes down to it, I may have to.
I hate doing something like this because we've worked together for several years. -
so another update, that password count, which btw was a family password (don't ever use the password for your family) was upgraded to breached 592 times! gotta love that...
-
previously, a year ago, it was breached around 100 to 200 times. now it's 500 times.
massive upgrade from last year... -
@adisonverlice2 the email that was sent to your colleague is extremely common, and is one of the more successful extortion schemes. The extortionist purchased a list of email addresses and passwords from dark web data breaches and simply sent an email to everyone in the breach. The breached password is included in the email to (rightfully) scare the end user into believing the story that follows afterward. The scheme is particularly successful with people who reuse their passwords and super obvious to those who use password managers. You can easily find out if the password or email you use has already appeared in a data breach by directing people to the website: https://haveibeenpwned.com and more importantly, registering your company domain and/or email addresses with their breach notification system.
I assure you, the only lesson anyone learns from these emails is to stop reusing their passwords. Your colleague has done nothing wrong. -
@umnz said in how I caught a hacker trying to (or may have) hacked into 1 of my colleagues old accounts.:
@adisonverlice2 the email that was sent to your colleague is extremely common, and is one of the more successful extortion schemes. The extortionist purchased a list of email addresses and passwords from dark web data breaches and simply sent an email to everyone in the breach. The breached password is included in the email to (rightfully) scare the end user into believing the story that follows afterward. The scheme is particularly successful with people who reuse their passwords and super obvious to those who use password managers. You can easily find out if the password or email you use has already appeared in a data breach by directing people to the website: https://haveibeenpwned.com and more importantly, registering your company domain and/or email addresses with their breach notification system.
I assure you, the only lesson anyone learns from these emails is to stop reusing their passwords. Your colleague has done nothing wrong.of course. weirdly, though, they only sent it to Alex. though they should contact me, if they want a good scare. also I didn't even know that was possible to register domains and stuff. let me see...
-
thank you.
I just added my domain to their domain search dashboard. -
also I should really put the Google version of my blindsoft.net account on the Google advanced protection program, just in case. they do a good job of locking down accounts. my personal account is on there.
-
my colleague thinks i'm "parinoid" because I have 2factor authentication for everything, and require my admins to use 2FA.
i've tryed to tell him the danger of using week and or the same password and he always just called me out. I don't wonna say, laughed me out, I don't think that's the case.
eitherway, my security setup is particularly advanced. for example, I have a different email alias for every account (EG cloudron@blindsoft.net) which you can email right now.
but I won't receive it because the email address was dropped.
unfortunately, I have an old android device from a while back.
I have the braillenote touch plus which i've had to lock down.
even though it was purchased by my educational organizations, for whatever reason they refuse to manage it. -
interestingly, even though it can be updated, humanware has decided not to update the braillenote any ferther than android8.0. I actually spoke with a technical guy about it. and while i would like to port it over to android 13 or better, i'm afraid I could lose the braille technology (such as keysoft) or lose the braille display abilities.
-
fuckin hell, they could've even just made their own OS, and taken whatever it is that they don't want in the update out. not that hard y'all...sure, the keysoft programs get updated, but the OS itself does not. i'm disappointed
-
@adisonverlice2 said in how I caught a hacker trying to (or may have) hacked into 1 of my colleagues old accounts.:
fuckin hell, they could've even just made their own OS, and taken whatever it is that they don't want in the update out. not that hard y'all...sure, the keysoft programs get updated, but the OS itself does not. i'm disappointed
Isn’t Apple pretty good in this area? https://support.apple.com/en-om/guide/iphone/iph73b8c43/ios
-
@necrevistonnezr said in how I caught a hacker trying to (or may have) hacked into 1 of my colleagues old accounts.:
@adisonverlice2 said in how I caught a hacker trying to (or may have) hacked into 1 of my colleagues old accounts.:
fuckin hell, they could've even just made their own OS, and taken whatever it is that they don't want in the update out. not that hard y'all...sure, the keysoft programs get updated, but the OS itself does not. i'm disappointed
Isn’t Apple pretty good in this area? https://support.apple.com/en-om/guide/iphone/iph73b8c43/ios
they're ok at it, but not great. the braillenote has braille features. the iPhone you have to connect a braille display
-
braille displays cost 2much
-
This post is deleted!
-
apologies, wrong thread. I deleted that post I just made
-
so here is a new, and possibly the final update.
the situation has not worsened, and turns out that I believe he as blackmailed.
so i'm happy to report that the hack was pretty much false.
soundsl Ike this guy just wanted some clout or some money.
I have no ferther intensions of sharing his Bitcoin wallet information, if you want to see that head into the first post on this thread.
but I think we can consider this closed. -
so a new update it seams.
something tells so not much of an update, but I decided to try something.
so I work with a product called bitdefender.
I don't know why I didn't think of this earlier...
so I basically told bitdefender scamio to look at this image, which was obviously an email, that same email...
and it actually gave me this...
It's a scam
You're dealing with an extortion scam. Scammers might falsely accuse you of illegal activities or threaten to release embarrassing information. Often, they claim to have explicit photos or your passwords. Don't panic—these threats are usually baseless. They're just trying to scare you into acting without thinking.
Safety tips:
Verify sender: Check the sender's information to ensure it is from a legitimate source.
Protect personal data: Be cautious when sharing personal info online.
Use security measures: Keep computer security up to date and avoid clicking on unknown links.
so that was good...
if any of you wonna take a look, here it is!
it's a product I used for a while, and i'm surprised I didn't use it for this purpose earlier...
it's been 1 of my favorite scam detection products