My e-mail hacked by a MacOSX Member

Cory Bauer

Registered
I have just discovered that my mobileme email had been set to forward to a gmail account that shared the same login name as a member here. I believe them to be linked because I used the same password for my e-mail address as I did for my membership here, which leads me to believe they got my password from here. Could a moderator please contact me for the username of the member who may have hacked me?
 
Contact Cheryl, Scottw or one of the mods (like me) with the details.

If you are able to still access your .mac emails, change the password to something that uses a different logic. Also if you use the same password (or logic for passwords) for any other site, change them as well. Sometimes the people that might know/guess your password are more closely related to you, e.g. once my ex called me because I had changed my email password and he couldn't access it...

It might be also worth to check with http://www.apple.com/support/mobileme/ if anyone other than yourself has accessed it, e.g. from which IP address the forwards were done from.
 
For future reference, it's an extremely bad idea to use the same password for multiple places. I'd be willing to bet a small amount of money that you use the same password for a banking site, or some site that holds more personal and/or important information than here and your email. Bad, bad idea.

If you have trouble remembering passwords, there are utilities and programs out there that specifically address that problem, like 1Password:

http://agilewebsolutions.com/products/1Password

Also, "hacked" entails that someone used some method of bypassing your password to illegally gain access to your accounts -- which doesn't sound like the case here. It sounds like someone simply guessed your password (was it a strong password, or something easy like a word, phrase, pet's name or birthday?), then tried the same password at another site. This is NOT hacking -- it's simply the result of choosing an easy-to-guess password. Think of it as leaving your front door to your house wide-open, then someone comes while you're away and steals all your stuff... you'd have a hard time convincing anyone that they "broke in" to your house, since they didn't "break in" at all -- rather, they waltzed right through the gaping hole you left open for them.

This may or may not be the situation here; I'm just putting out a fair warning that people need to choose stronger passwords going forward, and no password should ever be used more than once. Wanting to remember easy passwords and avoid forgetting them, or using the same password more than once so you only have to remember a single password is no excuse -- I'd like to just leave my car wide open so I don't have to go through the hassle of putting the key in the lock (it would be much easier!), but that would just be plain stupid and I stand more to lose than I do to gain.

Just information to think about in the future.
 
For future reference, it's an extremely bad idea to use the same password for multiple places. I'd be willing to bet a small amount of money that you use the same password for a banking site, or some site that holds more personal and/or important information than here and your email. Bad, bad idea.
Duly noted, and no longer the case.

Also, "hacked" entails that someone used some method of bypassing your password to illegally gain access to your accounts -- which doesn't sound like the case here. It sounds like someone simply guessed your password (was it a strong password, or something easy like a word, phrase, pet's name or birthday?), then tried the same password at another site. This is NOT hacking -- it's simply the result of choosing an easy-to-guess password.
Trust me, they did not guess my password; it was a string of numbers that mean nothing to anyone. Much as I hate to throw around the "hacked" claim because I think it's cliché and overused, I do believe I was in fact hacked. The member whom my email had been set to forward to is also a member of Nulledscriptz (a webmaster resource forum), a second webmaster forum, and has posts on several forums where he is trying to sell rapidshare accounts, adword vouchers, legalsounds accounts, skype accounts, and vbulletin licenses.
 
I also doubt that it was acquired from the site, vBulletin encodes your passwords when it stores, so that pretty much only the creators could decode your password. Also only the administrator has access to the file that contains the password, since it is stored in the MySQL database. I doubt ScottW would ever do such a thing, or even spend a bunch of time to steal one member's password. So it would seem that you might have used your password on a not so safe site.
 
I also doubt that it was acquired from the site, vBulletin encodes your passwords when it stores, so that pretty much only the creators could decode your password.
Actually, no one can decode a one-way (hash) encrypted password. The only thing you can do is think of a password, encrypt it, then compare the encrypted password to the one stored in the database. If they don't match, try again. It's called "brute force" cracking.

That's exactly what happens when you log in to any site that stores encrypted passwords -- whatever password you enter in the password box is encrypted using the same method as the original password was encrypted in, the two encrypted strings are compared, and if they match -- voila -- you just logged in. Otherwise, "Invalid password."

Sites who email your password to you (and do not do the "smarter" thing, which is either email you a new, randomly-generated password or require you to visit a form to reset your password and enter a new one) do not store the passwords in an encrypted manner.

There are some encryption techniques that are "two-way," meaning that you can both encrypt and decrypt, enabling one to reverse the encryption of a password if they have the "secret key" or the unencryption method available to them. A lot of these types of encryption techniques are no more effective than just storing the password in plaintext.

Of course, pretty much all encryption techniques can be "cracked," but I would be pleasantly surprised if any member or moderator of this forum has the computing power or the resources and knowledge to do such a thing to a one-way (hash) encryption. If they did, their country's government would probably be paying them six figures or more.

I would hope this forum uses a one-way hash encryption for password storage, but then again, not much havok could be wreaked if a password was stolen, other than posting a bunch of lewd comments or something.
 
Why not just change your password and lock that hacker out?

Of course this user needs to be questioned and dealt with if guilty.
 
And change your security questions too. If they are easy to guess, such as mother's maiden name or any of the default question/answer combinations, get rid of them.
Have a question that only you know the answer - and this can mean the answer has absolutely no relevance to the question. Such as "what is my brother's shoe size?" > "I hate ice cream cars!" etc. Only you should know the logic the password recovery question uses. Same can go with recovery birthdays. If they only need to know your birthday to prove they are you for a forgotten password, that's just not enough (unless your birthday is totally made up).

.mac can see a track from where and how an account was accessed. Verify with them that they haven't been contacted as a 'forgotten password' problem by this gmail+whatever ad bricbrac this person is using.
They should be able to tell more about when and from where such forward was put in place.

And never store the pws in keychain if you don't lock your computer when not at desk (as in someone at home or office walks to your desk, and gets logged in...)
I've seen people leave their passwords on a piece of paper at their desk, including someone I worked with had her SAP password on a sticky note (where with her admin account you could do nearly anything at all).
 
Back
Top