USPSA Website hacked and PWs/Emails compromised

[bwframe]

What are the hackers gonna get out of this? An e-mail address to spam?

Doesn't every third company get hacked every other day, including financial institutions?

 

[chezuki]

What are the hackers gonna get out of this? An e-mail address to spam?

Doesn't every third company get hacked every other day, including financial institutions?

Many things use emails as usernames, and also many people (rather stupidly) use the same password for multiple things.

 

[bwframe]

Many things use emails as usernames, and also many people (rather stupidly) use the same password for multiple things.

K, so how different is this from Chase bank being compromised recently?

 

[rhino]

K, so how different is this from Chase bank being compromised recently?

I don't think CHASE fed the thieves the email addresses with the actual passwords used.

 

[bwframe]

Just got the first spam/phishing attempt to my USPSA email address:

Hello, On Wed, Nov 26, 2014 12:26 AM GMT+2, we noticed an attempt to sign in to your Apple iTunes account from an unrecognized device in Norway. If this was you, please sign in from your regularly used device. If you haven't recently signed in from an unrecognized device and believe someone may have accessed your account, please visit ** link removed ** to change your password and update your account recovery information. Thanks for taking these additional steps to keep your account safe. Regards, Apple

 

[bwframe]

I don't think CHASE fed the thieves the email addresses with the actual passwords used.

I understand, but I don't get the severity of this?

 

[rhino]

I understand, but I don't get the severity of this?

It's not a big deal for people who use different passwords for different logins.

Think of this: take that email address and password and try them at several of the bank's web sites. It's likely you'll find a few or many whose bank accounts are accessed with that email address as their login id and that password as their password. Then you have their bank account, the paypal account, etc.

Sure, everyone should use different password and userids wherever they go, but they don't. It is unusual and irresponsible for an organization that requires submission of valid email address or other identifying information to leave corresponding passwords giftwrapped for the taking. Especially when it's a well known stupid thing to do and they were warned (according to people who claimed to have warned them). Especially since they've been hacked before.

 

[pudly]

I understand, but I don't get the severity of this?

Although your USPSA account is likely a low impact, the real value is in how they can use that info to attack financial and other priority systems. Right in the listing was a note that about 1000 passwords worked for PayPal. They would also try the same e-mail/password combo with major banks, Ebay, Amazon, Google, Facebook, Twitter, etc. Since most people have a single e-mail that they use for many systems and reuse passwords, any site breach like this is considered a treasure trove of hackable accounts. Any such account compromises can then be used to gain financially, steal your identity, and work towards additional account or system compromises. Even if you aren't affected, it is very possible that thousands of others will be hurt by this site compromise.

USPSA didn't follow good information security practices. Even if an organization follows good security protocols, they may still be compromised, they just lower the odds and scope of the damage. Here are some things that you can do to protect yourself and your accounts:

• Do not reuse passwords, particularly those associated with financials and major sites (Google, Twitter, Facebook, etc).
• Use longer (8+) and more complex passwords (upper/lower case, digits, special characters)
• Do not use dictionary words or simple character sequences (monkey, password, 123456, qwerty, etc)
• Given that the rules above make memorizing many passwords difficult, you may want to consider using a password manager such as LastPass, KeePass, etc. You lock the manager with a complex password and then it will handle remembering all of your other account IDs/passwords. I use this and now use random 20 character passwords on most sites that even I don't know.
• Whereever possible, enable 2FA (two factor authentication), especially for important accounts. This is a second form of identity proof besides your password. This can come in several forms such as a code sent to your cell phone or e-mail, a small app that generates a code that you need to type in, etc. With 2FA enabled, even if the account list is compromised, you have an additional layer of security in place and they still don't have enough info to log onto your account.

 

[bwframe]

OK, OK I'm beginning to grasp. I really had no clue that anyone still used the same e-mails and passwords for everywhere they went.

 

[pudly]

There are a number of people who use the same User ID both on INGO and other gun sites. If you were to compromise one sites account list, I'd bet that you would get access to a substantial number of logins for the other sites as well.

 

[Friction]

Places like USPSA are low hanging fruit WRT security protocols so they become a target for mass data that may prove valuable in more well secured places like banks. While high level places ere hit pretty routinely the reality is that in accordance with applicable laws they not only discover the hit but they report it to you where as smaller companies do not.

How advanced do you think the IT department for your trash collection agency is? How about the mom and pop forums or web based business out there that require log-ins and PWs to use? The fact is that many of those places have been hit multiple times but they may not even know it yet, or ever.

All you can do to protect yourself from data crimes is to work to minimize your exposure to a single breech of information by doing what folks have recommended above. Additionally, you can use a separate emails for like everyday shopping and for banking. Email addresses are free to create and the address will remain SPAM free if you only use it at well established sites so its worth having a "Shopping/forum" email and a "personal business" email.

Whether you know it or not, you are your own CEO/CFO and IT department so treat yourself the same way a company would treat you. Would you use your office email as a point of contact on your forum registrations? Probably not, because they likely have rules in place about that so enforce those same rules with things under your control and you help minimize risk. You can always just create a very similar emails than what you have for important tasks if it makes it easier to remember.
TURBOKILLER69@killer.com = Important stuff
ShadywebsiteTURBOKILLER69@killer.com = online shopping at porn sites and USPSA log-ins.

I don't know the actual numbers but I would estimate that you are at least 10,000 times more likely to be the victim of a data related crime then a strong arm robbery or other situation where a carry weapon would help you so if you are big on proactive physical personal defense you should make an effort to be vigilant with your administrative personal defense at least as much.

 

[pudly]

ShadywebsiteTURBOKILLER69@killer.com = online shopping at porn sites and USPSA log-ins.

You mean that by breaking into USPSA, they now have access to all of our porn site logins as well? Oh, the huge manatees!

 

[rhino]

There are a number of people who use the same User ID both on INGO and other gun sites. If you were to compromise one sites account list, I'd bet that you would get access to a substantial number of logins for the other sites as well.

I'll bet the password on INGO are encrypted!

 

[Slawburger]

I'll bet the password on INGO are encrypted!

Good question, are they?

 

[pudly]

Good question, are they?

I just sent a PM to management asking about this and making some recommendations. Didn't want to post it in the Forum Feedback area since it is security related.

 

[blkrifle]

So . . . how many DAYS should I expect to wait for the password reset? If they're sending an email to me with a link, it's not arriving, nor is it going to my spam folder.

Of course, why should expect that to function from people who left thousands of email/password combinations available as a plain text file after being warned in the past?

DUMBASSES.

they are using the same timeline you use to renew your ro cert! bahahaaaha

 

[bwframe]

they are using the same timeline you use to renew your ro cert! bahahaaaha

 

[rhino]

There are a number of people who use the same User ID both on INGO and other gun sites. If you were to compromise one sites account list, I'd bet that you would get access to a substantial number of logins for the other sites as well.

they are using the same timeline you use to renew your ro cert! bahahaaaha

D'OH!! Gut punch drops the rhino!!!

Well played, sir!

 

[blkrifle]

D'OH!! Gut punch drops the rhino!!!

Well played, sir!

THANK YOU.....I knew you would see the humor

 

[bwframe]

The member support section of the USPSA site has been down for a couple days. I've been trying to get my login/password changed.