Quote:
Originally Posted by Any2Suited
I was reacting to post #38, where Josem outlined how most cases of login information being compromised were from data breaches. Hence my concern over some sites storing passwords in plaintext. I wasn't specifically referring to Pokerstars or any other poker-related sites.
Ah, fair enough.
I think the biggest risk there isn't a poker site data breach, but the breach of another site where you use the same password (which of course you shouldn't be doing, and probably aren't - but others do).
As an example, I started getting some emails a while ago that were concerning when I got the first one, until I read more about it. Here's the main part of the email:
Quote:
Hey, I know one of your password is: XXXXXXX
I'm a hacker and programmer, your computer was infected with my private software, RAT (Remote Administration Tool).
Your browser wasn't updated, so it was enough to just visit the website where the iframe to my exploit pack was placed.
My software gave me full access to your computer, your files, contacts, accounts and it was possible to spy on you over your webcam.
I WAS SPYING ON YOU FOR SOME TIME.
I KNOW ALL ABOUT YOU, YOUR SECRETS, ALL YOUR ACTIVITIES.
I CAN LET EVERYONE KNOW ABOUT AND I'M SURE YOUR LIFE WON'T BE THE SAME AFTER THAT.
To stop me, send 1400$ with the cryptocurrency Bitcoin (BTC), I think it's a very good price compared to the result if you don't pay.
The password? It's one I use on dozens of sites. I use it on most sites that require me to sign up. I recognized it immediately. Scary, right?
Well, I looked into it more. I went to the very site Josem linked, and found that my email address had been involved in one data breach, at Ticketfly. This confirmed for me what I suspected was true - that the email was all bullshit. Dude hasn't been spying on me, has no access to my computer. He's just bought the breached database, emails the same thing to everyone in it, and if 10 or 20 or 100 people bite, he's made a tidy profit.
But that still leaves my Ticketfly info out there. This guy won't be the only one to have bought the database. So, if I had used that same email/password combination at a poker site, I'd be quite vulnerable. But, of course I hadn't. I only use that password on sites I don't care about - the "throwaway" signups that are part of daily Internet life. Any poker site, financial institution, social media site, this forum - anywhere that someone else getting my credentials would really matter - gets a unique 20+ character password. So, I guess someone could screw with my New York Times subscription or my IMDb account if I ever created one, but that's about it.
I'm not going to say a poker site data breach is impossible, but most people have their accounts compromised through far more pedestrian means than having to hack a presumably secure database. Social engineering, trojans/keyloggers, or obtaining your data elsewhere.
Oh, I should add - that not using the same email/password combo practice I'm so proud of? Yeah, I wasn't that savvy about 12 years ago, when I did use the same password a lot of places. Lost over $1,000 on an ewallet, and I never did figure out how it happened, but I'm pretty sure it was from a data breach on a less secure site. I was extremely lucky to get the money back, and that's when I got Keepass and beefed up my password security.