No accusations, just a question.

Today I received an email in my spam filter. The email address was for myself, I realize this is a common ploy of phishing. The reason I suspect UMD Is because it included a password, it's the same one associated with my UMD account, and this is the only place it is used.

I will be changing my password and choosing to not stay logged in.

Thanks Messmaster for all you do . Hackers should be hung from a tree by their genitalia.

Mo

Did the email claim to have webcam footage of you watching porn and demand payment in Bitcoin else the footage gets released? It's a fairly common scam. So far in all the cases I've looked at the data seems to have been taken from the LinkedIn breach back in 2012 (117 million account details ultimately breached apparently) - are you certain the password in question was only ever used here on the UMD?

Recent Wired article: https://www.wired.co.uk/article/linkedin-data-breach-find-out-included
Original report: https://www.theregister.co.uk/2012/06/07/linkedin_admits_data_breach/

TBH whether you remain logged in or not makes no difference. In all the database breach cases where passwords were obtained it means the passwords were stored in the affected database either as plain text or protected weakly, which I gather was the LinkedIn issue (no salt in hashes). Passwords in databases should always be stored as salted hashes - which is a way of encoding things that means you can check what someone entered against the hash and it will say if it matches, but you can't (without a lot of very powerful computers and a few hundred years) convert the hash back to the original password. So even if someone steals the database, they only have the usernames and hashes, and can't get the actual passwords.

Hi DM1,

Thanks for your very informative reply.

The first paragraph of your post is pretty accurate for the email. I knew it was a scam so I deleted it.

As for the password used elsewhere, that is very possible that it was used elsewhere many many years ago. I do not think I have ever had a LinkedIn account tho.

A lot of the passwords displayed in this scam were from an ancient MySpace hack.

Soundguy, MySpace is a definite possibility!

Thanks!

Yeah, I got it too using a very old password, probably Myspace.

On a side not I had to stop a Doctor that works behind me from filling out a form because they had just read an email telling them they had a tax rebate!

Please look at the headers people. Depending on who your email provider is there are different ways of looking at the headers. Find out where it was from etc.

As far as the password situation, I am pretty sure that MM runs the site in the most secure method possible. I am pretty sure that the passwords are not stored in plain text anywhere. If you look at the site it is using https protocol instead of http.

Another thing to look at, now I am honestly not sure if this is even a requirement, but there are laws and standards governing money transfers and security when dealing with money transfers. They are called PCI compliance. Like I said I am not sure if MM is required to adhere to them, but things like not storing passwords on the site in plain text and then how the site is accessed has a lot to do with that.

Yeah those emails are fake. They use the one piece of information that would gain them some credibility and scare you into sending them money. I don't know what your password is. They are all encrypted and a hacker could get the entire list and it would be useless. Thanks for the info Sounguy, about Myspace. I didn't know that but it definitely explains a whole lot of things I've seen over the years. Here's more on our privacy: https://umd.net/termsofservice#privacy

MM