What is the longest password you have ever used?

[igor_kavinski]

I was the subject of a "dumb idiot must have leaked his password somehow" inquiry couple of days ago. Only I find out after a whole day of stress of being made to look like a dumbass that a user had been compromised before me and they didn't tell everyone else to turn on 2FA. This was Outlook365 business e-mail, by the way. Sign-in logs showed they had been signing in from Lagos, Nigeria / Columbus, Ohio and Los Angeles. There was one sign in to an IMAP application that they must have used to steal all my company e-mail too. Outlook365 is so pathetic that they didn't even send an alert that out of country logins were happening. Gmail is really good in this regard and sends an e-mail immediately telling you that you just signed in from a new device. Nothing like that here. The bastards linked my email to Supermailer and tried to send out phishing e-mails to 2300+ email addresses. I wish them a quick sulfuric acid dissolution death, for the stress they caused me.

 

[Captante]

I was the subject of a "dumb idiot must have leaked his password somehow" inquiry couple of days ago. Only I find out after a whole day of stress of being made to look like a dumbass that a user had been compromised before me and they didn't tell everyone else to turn on 2FA. This was Outlook365 business e-mail, by the way. Sign-in logs showed they had been signing in from Lagos, Nigeria / Columbus, Ohio and Los Angeles. There was one sign in to an IMAP application that they must have used to steal all my company e-mail too. Outlook365 is so pathetic that they didn't even send an alert that out of country logins were happening. Gmail is really good in this regard and sends an e-mail immediately telling you that you just signed in from a new device. Nothing like that here. The bastards linked my email to Supermailer and tried to send out phishing e-mails to 2300+ email addresses. I wish them a quick sulfuric acid dissolution death, for the stress they caused me.

Did you happen to catch that LTT video awhile back where he detailed how he & the company his wife nearly got burned for a bunch of money by a hacker that literally "hijacked" a clients entire company email for months to run an elaborate scam?

The bad-actors went so far as to MONITOR the clients email for a long time prior to the "hack" and learned the habits/mannerisms plus personal details of actual employee's so as to be more convincing!

EDIT: Video added

 

[igor_kavinski]

The bad-actors went so far as to MONITOR the clients email for a long time prior to the "hack" and learned the habits/mannerisms plus personal details of actual employee's so as to be more convincing!

I think they must have done the same because they knew that I wouldn't be using the e-mail at 7:30 AM in the morning. I got a call from Sri Lanka at 8:28 AM and someone asked me why I had sent a payment advice email to them. I told them that it must be spam. I didn't send any such email. Of course, that didn't ring any alarm bells for me because spoofed emails with my email had been sent before. However, this time it was actually sent from my email by logging into it. The phishing email was pretty lazily crafted and not very convincing, except to someone dumb. But since my email was used to send the phishing emails to some VIP contacts, I had to face a lot of crap. I guess the VIPs were not using a decent email filtering system and instead of admitting that their IT security was broken, they tried their best to cast me in a bad light and put my competence into question. The dust hasn't probably settled yet. Who knows? I might not have seen the worst of it (i hope not!). My company email is still blocked until they figure out how to prevent something like this from recurring.

 

[ElFenix]

1,2,3,4,5

That is my combination on my luggage.

 

[compcons]

The bad-actors went so far as to MONITOR the clients email for a long time prior to the "hack" and learned the habits/mannerisms plus personal details of actual employee's so as to be more convincing!

This is actually a regular occurrence. Taking over mailboxes, creating mail forwarding rules, maintaining the mailbox (deleting the messages), etc. It is actually common to monitor for those other types of activities to detect threat actors before they execute their final actions.

Threat actors posing as executives who are monitoring other executives calendars because "Hey , I know you are in a meeting with xyz right now, but I need approval for finance to release funds. Can you approve this and forward to payables to send payment to this routing number?" Done. CFO approves the email and since it was a forwarded email from the CFO, finance does it. Millions lost in a second.

 

[Lost_in_the_HTTP]

^^^ That type of transaction should NEVER be conducted by email alone. There MUST be a physical paper trail, or at least something by secure internal systems.

 

[Captante]

At some point (if not already!) we will no longer be able to consider voice/telephone and even video conversations "reliable" out of necessity because the tech to fake them convincingly will be readily available to anyone.

Looks like we're well OTW back to meeting face-to-face with a handshake being the only way to "be sure" on big expensive transactions.

As the years roll by, the "Blade Runner" societies strict regulation of "replicants" which seemed so horrible in the movie makes more and more sense in a scary Orwellian way. (you wouldn't even be able to trust IRL meetings were not faked!)