my password has been cracked

Frank Fusco

Member
Messages
12,782
Location
Mountain Home, Arkansas
I have had my password cracked on Yahoo. :soapbox: Now, instead of my on-line handle 'Rifleman1776' showing, it is "Cracked by Lickey". As near as I can tell, no other damage has been done. I immediately changed to another password. Since it is (was) the same as I used on Pay Pal, I just changed that also. I had thought my password was pretty safe for two reasons. 1) I figured (obviously incorrectly) that no one would want to bother with someone unimportant. Hey, I ain't Eric Baldwin, ya know. ;) and 2) It was a fairly complex password, eleven characters, five letters and six digits.
It did have one big weakness but, I reasoned, that only someone who knows me very well would have doped it out, like my son, daughter or wife and a couple other people very close to me. It was the first name of my deceased son and his date of death. And the new password is.....:type:
 
Frank,

You have no idea how sick this post makes me - if someone can crack your password that easily, I guess I'm very vulnerable too with my poor little 6-letter password. After all, I'm someone unimportant too. I hope that the "powers that be" can find out the scum who did this to you.

Nancy
 
Frank, You know what is strange? You recently reported that Yahoo said that you needed to change your password and you did and now someone has hacked your password. Things seem to be adding up here.
 
Frank, You know what is strange? You recently reported that Yahoo said that you needed to change your password and you did and now someone has hacked your password. Things seem to be adding up here.
Ya beat me to it, Allen. My guess is that Frank got phished, not cracked. Either way, it sucks. You did the right thing by changing it on PayPal, Frank.
 
26 years in networking. Whoever thought this interest would become a career? Sounds like a clear case of phishing. I'm currently working for the California University system. A favorite around here is the little client you leave behind to capture keystrokes (library computers are a great spot). Then you come back later and collect.

It may be because of the field I'm in but I:

  • Never enter my username or password on ANY machine except my own, even to check email.
  • Have a different password for EVERY account that I have; bank, email, FWW, Amazon, etc.
  • Change my passwords regularly; don't be scared, you'd be amazed how many passwords you can remember given the alternative.
  • Check accounts regularly that I only use now and then; keep a list of places you have accounts in a text file on your computer to help you remember. Long idle accounts are fair game for brute-force-over-time attacks.
  • Change my password the first chance I get if I ever have to give it to anyone in an emergency. They may not be bad guys but they may have jotted it down and left it behind at the internet café.
  • Never even open an email if I don't know who it is from. Everyone I know is aware that if you send me an email and expect me to open it the 'subject' had better be VERY clear. Otherwise it goes straight in the dumper.

Remember, just because you're paranoid doesn't mean they're not out to get you ;-)
 
Those are some good tips Glenn,

These are the ones that I already have been doing, I will keep the others in mind though.

  • Have a different password for EVERY account that I have; bank, email, FWW, Amazon, etc.
  • Change my passwords regularly; don't be scared, you'd be amazed how many passwords you can remember given the alternative.
  • Change my password the first chance I get if I ever have to give it to anyone in an emergency. They may not be bad guys but they may have jotted it down and left it behind at the internet café.
  • Never even open an email if I don't know who it is from. Everyone I know is aware that if you send me an email and expect me to open it the 'subject' had better be VERY clear. Otherwise it goes straight in the dumper.
To add to that list. If I ever forget a password and have to have it sent to me, by email or whatever, I immediately change it as soon as I get back into my account.

You never can be too careful on these interwebs. Not everybody is a snake, but that doesn't mean that they aren't hiding in the bushes nearby.
 
Gentlemen,

We may wish to revise the phishing diagnosis. True, there's something to be said for it at first glance. But let us not forget that just a couple weeks ago Frank was complaining about how slow his machine was. There wasn't enough evidence at the time to openly suggest someone had dropped a trojan on his box, much less to think it had been turned into a spam server, and it was slow because it was busy dishing things out, even though literally millions of machines have been won in this manner and turned into nodes. But this latest incident makes me wonder. His machine was slow, his password was good... too good for any brute force or dictionary attack. This would indicate to me at least the possibility of a keystroke logger.

I know there are a number of experts in the field reading this, everything from forensics guys to code warriors. Any concurring or opposing arguments? If we dismiss it as phishing, Frank may still be vulnerable...

Thanks,

Bill

(ps. Glenn, 60 miles *east* of joshua tree? Don't tell me you're driving all the way to riverside every day? ;)
 
Last edited:
Remember, just because you're paranoid doesn't mean they're not out to get you ;-)


They won't Glenn I don't put any personal information on my computer. They could steal the computer & not get anything that would hurt me. Don't bank on line, Don't purchase on line, don't do any business on line. I use Quicken for keeping track of banking but enter false bank name & give the banks account a false name too.

I have never had a problem operating this way & using the heck out of a cross cut shredder. Anything with a name address or personal information gets shredded.
 
Y'all got me concerned now. I'm sure you (all) are right on target with the phishing thing. Yahoo did (officially) request the password change, I went through their site to make the change. I follow most of the advice regarding passwords. But, I have (had) only three and did not change. What strikes me as very strange is that my Yahoo e-mail and settings profiles do not include the "Cracked by Licky" name anywhere. But it still appears when I post to a Yahoo group. I'm wondering if this jerk/hacker got into the Yahoo server/codes/whatevers. And, also wonder if maybe he is actually a super-jerk working for Yahoo. I do much purchasing, bill paying, Pay Pal-ing, etc. from the Internet. Despite this experience, I will continue to do so. I once saw a study that claimed that internet financial transactions were something like 10 million times more secure than sending a check through the mail in a paper envelop. Everything has risks. I do believe a formating will be happening soon. Hate to. That backing up and then reinstalling business is a time consuming hassle. I may kid some about geeks, but there is some real talent here. Thanks for the input guys.
 
Password forgotten???

I am particularly bad about remember passwords that I don't use everyday. Back in 98' I found a utility that I like: Password Pro. It has a window that looks like a mini Excel sheet. You need to remember the password to get into Password Pro and then you are good to go. The password database is itself encrypted. There is a one-time registration fee of $9.95.
 
Just FYI - I have a couple of accounts with Bank of America. I received an e-mail yesterday that looked like every other one that I have received from them before. It said that their security filter had rejected someone from getting into my account on Monday, May 5, 2007, from an overseas I.P. Not being a rocket scientist or anything, I still realized that Saturday was the 5th, not Monday. I then noticed that there were several misspelled words, a couple of words that just did not make sense, and the real alarm, "click here" to go to my account to change my information.

It pays to read the entire e-mail instead of just clicking along with the rest of the sheep....:rolleyes:
 
Frank, have you contacted Yahoo to see if they have any ideas how the "Cracked by Likey" is being inserted?

Gentlemen,

We may wish to revise the phishing diagnosis. True, there's something to be said for it at first glance. But let us not forget that just a couple weeks ago Frank was complaining about how slow his machine was. There wasn't enough evidence at the time to openly suggest someone had dropped a trojan on his box, much less to think it had been turned into a spam server, and it was slow because it was busy dishing things out, even though literally millions of machines have been won in this manner and turned into nodes. But this latest incident makes me wonder. His machine was slow, his password was good... too good for any brute force or dictionary attack. This would indicate to me at least the possibility of a keystroke logger.
I hadn't thought of that Bill, but you may be on to something. I'm pretty uneducated about detecting or defending against this type of thing. Any suggestions for Frank to look for?

Just FYI - I have a couple of accounts with Bank of America. I received an e-mail yesterday that looked like every other one that I have received from them before. It said that their security filter had rejected someone from getting into my account on Monday, May 5, 2007, from an overseas I.P. Not being a rocket scientist or anything, I still realized that Saturday was the 5th, not Monday. I then noticed that there were several misspelled words, a couple of words that just did not make sense, and the real alarm, "click here" to go to my account to change my information.

It pays to read the entire e-mail instead of just clicking along with the rest of the sheep....:rolleyes:
Very true advice. I've read a number of articles that say banks don't contact customers via e-mail to handle security issues. They'll use snail-mail instead.

Years ago someone hacked my eBay account and I did get notification from eBay via e-mail, but their message told me to go to the eBay site (didn't even have a link) and follow the directions in the Security Center.
 
Bill,

First of all thanks . . . WEST of Joshua Tree . . . must have been standing on my head when I entered that. I used to say '100 miles from the beach' but that's only true if you head due west. Darn that angled California coast.

Second, yeah, I'll go for a possible keystroke grabber, we see 'em too often. Our current intrusion systems don't catch them by signature as they are usually loaded locally. Its become most efficient for us to just re-image the machines. Unfortunately this doesn't work out real well for the home user.

Thanks again for the east / west thing. ;-)
 
Last edited:
"Second, yeah, I'll go for a possible keystroke grabber, we see 'em too often. Our current intrusion systems don't catch them by signature as they are usually loaded locally. Its become most efficient for us to just re-image the machines. Unfortunately this doesn't work out real well for the home user."

Glenn,

We had terrible problems with these, until we installed something called Deepfreeze in all the labs. Now the machines get reimaged every night, automagically. It's saved us literally thousands of hours in staff time, not to mention headaches... ;)

I used to use TDS-3 on my home machines, but evidently that's been abandoned. Haven't heard of a replacement yet...

Thanks,

Bill
 
phishing liars

I used to get a lot of those phishing jerks attempting to tresspass on my cyber-property. Makes a guy dream about sending a cyber e-mail bomb to blow up their computer!! I got all kinds of messages almost daily from "paypal", "amazon", even the IRS. I was going to check the status of my tax return online but balked when they requested my SS#, bank info., and the amount of the return. I figure that since they already have all that information I wasn't going to give it out again. Guess I'll just have to find the right phone #.
 
Top