Data Breach! Change Your Password!

General on-topic discussion.

Moderators: Roguelet, hpkingjr, WaveMaster

Jeff
Starters Handicap
Posts: 745
Joined: Sun Jan 30, 2005 7:49 pm
Location: Nor Cal

Data Breach! Change Your Password!

Postby Jeff » Mon Feb 25, 2019 10:01 am

Just received this message from Kredit Karma of this data breach and Kredit Karma informed me that the password I use to pay for my subscription with my credit card on this site has been hacked. Yes, they showed me my password, and I only use it for this site because it is of course a race horse related password! :) Change your password!


'Collection #2 is a combolist — someone put together info from individual data breaches and then shared that combined list publicly or on the dark web. This is one of a series of 5 'Collections' of combolists that were sold online in January 2019.

This collection has over 3 billion unique records, including millions of exposed emails and passwords. While much of the info came from previous breaches, several million records could be new.

Criminals use passwords from combolists to try to gain access to your other accounts. That’s why you should never re-use passwords, especially in places with sensitive personal or financial info — like your banking app, health insurance site, tax software, email account, etc.'

User avatar
Lizard
Site Admin
Posts: 42
Joined: Thu Sep 16, 2004 10:46 am
Location: San Diego

Re: Data Breach! Change Your Password!

Postby Lizard » Tue Mar 12, 2019 3:45 pm

Hi Jeff,

Thanks for bringing this to our attention. We take security very seriously and would like to know more information about this. We currently have absolutely zero indication that our services have been accessed by an unauthorized third party, so any claim to this is very important to us. Additionally, we hash all of our users' database passwords using a very secure modern hashing algorithm where it would be virtually impossible for someone to determine our users' plaintext passwords even if they were to be compromised.

I'd also like so say that I personally use a unique password for PQ and the PQ forums, and I have not received any notifications from the various security services that I am signed up for that the password I use for the forum or database is part of any password dumps. These services include Credit Karma and Troy Hunt's very reputable https://haveibeenpwned.com/

Lastly, I have spot checked many of our users' email addresses in Troy Hunt's https://haveibeenpwned.com service, and many of them *do not* appear in any breaches, which would indicate that our database has not been compromised in any way.

I'm not saying the email you received was not legitimate, but I'd like to make a note to anyone reading this that it's very important to be wary of scam/phishing emails that claim you are a part of a database breach. These emails will target random email addresses and try to extort money or bitcoin from the email owner.

With all that said, I have a few questions if you don't mind. Was this password used on our forum, database account, or both? Do you know the last time you changed your password on the PQ forum or database (prior to the supposed breach)? I know you mentioned that this password was unique to our website, but is it possible you accidentally entered this password into any other website while trying to log in? Lastly, is it at all possible your computer was/is compromised? If so, any information you enter into your browser is susceptible to being harvested by a malicious 3rd party.

Thanks again for bringing this to our attention. I will continue to dig to see if there's any indication that our services have been compromised, but as mentioned earlier we have no reason to believe this to be the case right now.

- Jeff