• CitoDay breach

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » CitoDay breach

    Tags:

    Author
    Topic
    MWmC
    AskWoody Lounger
    November 19, 2020 at 8:58 am #2312953

    Good morning. I got an email warning me about a possible massive breach directing me to Troy Hunts ever-helpful site:
    https://haveibeenpwned.com/

    I seems that this “breach” may just be a packaging of earlier breaches (I know for example that I was caught up in the 2016 LinkedIn breach, 2012 Dropbox breach, and 2013 Adobe Creative Cloud breach), but I went ahead and changed passwords related to that email address for “material” accounts (banking, finance, e-commerce, government) just in case.

    That’s probably an excess of caution, but I know that there are many real experts on this forum, and I was wondering what your take was.

    1 user thanked author for this post.
    Elly
    Reply | Quote
    Viewing 3 reply threads
    Author
    Replies
    • Kirsty
      Manager
      November 19, 2020 at 12:23 pm #2312997

      Troy has a very good history of alerting people before they are subject to the effects of such breaches. Changing your passwords is a darned good idea, when given such a warning 🙂

      But do make sure you use a strong password – see yesterday’s blogpost, the comments to that blog, and the many other topics on AskWoody.

      And just for a test, you can paste a sample password to check its strength:

      Kirsty wrote:

      @m8urnett‘s work is behind a great password-strength testing site, which really does bust some complacency about passwords.
      It’s worth checking this out:
      https://howsecureismypassword.net/

      howsecureismypassword

      4 users thanked author for this post.
      AlphaCharlie, Elly, SueW, MWmC
      Reply | Quote
      • MWmC
        AskWoody Lounger
        November 19, 2020 at 12:33 pm #2312999

        Thank you! I use 1Password and try to use 32 characters or more for my passwords. I am always astonished by the limitations on some sites, however. Macys.com, for example, only allows 16 characters, and limits the characters you can choose. That wouldn’t be so bad if they allowed some form of 2FA or MFA. But of course they don’t.

        I’m CTO for a financial company (capital markets), and our systems allow up to 255 characters (the amount to which we salt anyway).

        Some sites just haven’t gotten the memo about security.

        1 user thanked author for this post.
        Kirsty
        Reply | Quote
      • Paul T
        AskWoody MVP
        November 20, 2020 at 12:45 am #2313064
        Kirsty wrote:

        you can paste a sample password to check its strength

        Sadly the “howsecureismypassword” site is not up to scratch to for a security site.

        They don’t tell you how they calculate the time taken to “crack” a password. As an example, the same password on the GRC test page shows around 1.5 trillion years vs 37 billion years on HSIMP – although both show a 16 character password is effectively un-guessable.

        The are wrong when they state “Password managers can generate and store uncrackable passwords”. All passwords are crackable.

        They recommend only one commercial password manager and claim it’s free without qualifying what is actually free – no more than 50 passwords.

        cheers, Paul

        • This reply was modified 4 years, 5 months ago by Paul T.
        Reply | Quote
        • Kirsty
          Manager
          November 20, 2020 at 1:48 am #2313078

          I see the site is now under the umbrella of security.org, and no longer has a link to Mark’s work that underpinned it (or even acknowledges it).

          The concept of highlighting that a short, uncomplicated password gets cracked quicker than a longer, more complex password is easily highlighted by those sites, even though it doesn’t go into the scientific background to it.

          Reply | Quote
    • Alex5723
      AskWoody Plus
      November 19, 2020 at 2:09 pm #2313012
      MWmC wrote:

      but I went ahead and changed passwords related to that email address for “material” accounts (banking, finance, e-commerce, government) just in case.

      Changing password for a pawned email won’t help you at all vs spammers, ransomwares, phishing mails…

      Reply | Quote
    • anonymous
      Guest
      November 19, 2020 at 5:58 pm #2313026

      ? says:

      Alex, but doesn’t changing the password on pwnd email keep the baddies out of the control panel? at least if they had picked the lock? when i checked my aol at have i been pwned the email was data breached (x2) but the password checker there came back clean (changed it again anyway)…

      1 user thanked author for this post.
      Kirsty
      Reply | Quote
      • Kirsty
        Manager
        November 19, 2020 at 8:59 pm #2313037

        It won’t stop the arrival of malspam, where the address has already been shared by the spammers. But you are quite correct, changing the password stops them from logging into your webmail with the original password, and changing all your settings!
        🙂

        Reply | Quote
    • anonymous
      Guest
      November 19, 2020 at 11:41 pm #2313050

      ? says:

      thank you, Kirsty. what an understatement. the aol account has been awash in (politely) “malspam,” from some of the best in the business such as AS203087 (scam score 100%) and AS28907 (88%) among hundreds of others.

      Reply | Quote
    Viewing 3 reply threads
    Reply To: CitoDay breach

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    May 2025
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    25262728293031

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.