Ellen Park, the Lone Wanderer (![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
aaaaaaaagh_sky) wrote in ![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png)
ways_back_room2018-09-26 01:56 pm
aaaaaaaagh_sky) wrote in ways_back_room2018-09-26 01:56 pm
Real-world network security breach; account passwords may be exposed
Hi, everyone.
First, the TL;DR info: if your Dreamwidth account was imported from Livejournal, or if you ever reused a password from LJ or possibly Netflix or last.fm or several other services, you should change that password now.
Now, the details.
I received a blitz of emails in my spam folder yesterday, all identically worded. The sender claimed to be a member of an international hacker group and that he had hacked my account and sent me messages from myself. To prove he had done this, he included my password. He claimed he'd gotten a virus onto my computer via an 'adult site' I had visited, hacked my email, my social networks, my messengers, etc., and then secretly turned on my webcam and recorded me visiting all kinds of filthy sites, and demanded I send $700 to a bitcoin wallet within 48 hours to prevent him from sending logs of this material to everyone in my contacts book.
Point one: the passwords were all from Livejournal accounts I haven't accessed in years. True, I had imported several of the journals to Dreamwidth, but I'd changed those passwords.
Point two: the most adult site I've been to is the Game of Thrones wiki, or possibly the National Grid natural gas billing page.
Point three, I disabled my camera in the system settings when I wiped it and installed Windows, and I put electrical tape over the thing anyway.
I ignored the messages, but after some consideration opted to go through as many of my online accounts as possible and change passwords anyway. (Lastpass helps with this.) I also dropped the text of one of the spam paragraphs into a search engine, just in case this was a common spam of some kind. It led me to a discussion thread from people who had received the same message within the past 24 hours. Apparently a Canadian electronics retailer named NCIX had failed to wipe their server hard drives before selling them off during bankruptcy proceedings, and several servers turned up on Craigslist on September 21st. The RCMP intervened but not before the seller had already given the contents of the hard drives to at least five buyers.
At least one of the people in the discussion thread had received an email address with an old Livejournal password of his, despite never having been an NCIX customer. Other people reported seeing messages with old Netflix or Live.com or last.fm passwords.
I don't know what other sites may have been breached, or what other information may have been on the NCIX servers that didn't need to be there. But if your RP account, or your personal account, migrated from LJ? Change the password now, assuming you haven't already. If you use the same password on more than one site? Change it, on each site, and change each site's password to something different. Consider using an encrypted password manager so you won't have to come up with a jillion passwords you'll remember.
And remember, they can't secretly record you via your computer's web cam through a piece of black electrical tape.
Thank you.
First, the TL;DR info: if your Dreamwidth account was imported from Livejournal, or if you ever reused a password from LJ or possibly Netflix or last.fm or several other services, you should change that password now.
Now, the details.
I received a blitz of emails in my spam folder yesterday, all identically worded. The sender claimed to be a member of an international hacker group and that he had hacked my account and sent me messages from myself. To prove he had done this, he included my password. He claimed he'd gotten a virus onto my computer via an 'adult site' I had visited, hacked my email, my social networks, my messengers, etc., and then secretly turned on my webcam and recorded me visiting all kinds of filthy sites, and demanded I send $700 to a bitcoin wallet within 48 hours to prevent him from sending logs of this material to everyone in my contacts book.
Point one: the passwords were all from Livejournal accounts I haven't accessed in years. True, I had imported several of the journals to Dreamwidth, but I'd changed those passwords.
Point two: the most adult site I've been to is the Game of Thrones wiki, or possibly the National Grid natural gas billing page.
Point three, I disabled my camera in the system settings when I wiped it and installed Windows, and I put electrical tape over the thing anyway.
I ignored the messages, but after some consideration opted to go through as many of my online accounts as possible and change passwords anyway. (Lastpass helps with this.) I also dropped the text of one of the spam paragraphs into a search engine, just in case this was a common spam of some kind. It led me to a discussion thread from people who had received the same message within the past 24 hours. Apparently a Canadian electronics retailer named NCIX had failed to wipe their server hard drives before selling them off during bankruptcy proceedings, and several servers turned up on Craigslist on September 21st. The RCMP intervened but not before the seller had already given the contents of the hard drives to at least five buyers.
At least one of the people in the discussion thread had received an email address with an old Livejournal password of his, despite never having been an NCIX customer. Other people reported seeing messages with old Netflix or Live.com or last.fm passwords.
I don't know what other sites may have been breached, or what other information may have been on the NCIX servers that didn't need to be there. But if your RP account, or your personal account, migrated from LJ? Change the password now, assuming you haven't already. If you use the same password on more than one site? Change it, on each site, and change each site's password to something different. Consider using an encrypted password manager so you won't have to come up with a jillion passwords you'll remember.
And remember, they can't secretly record you via your computer's web cam through a piece of black electrical tape.
Thank you.
no subject
no subject
no subject
You saucy minx, you!
no subject
thank you for letting me know blugh