Phishers are getting sophisticated

[Zundfolge]

So I got one of those scam emails "I hacked your email account, so send me bitcoin or I'll show the world the porn you look at" ... it had my email address and said what the password was. While that's not the PW for that email address it is one I've used other places (although not in a long time since I let LastPass generate them now).

I think the guy doesn't have anything on me but it is disconcerting.

My guess is he got a list of usernames (many sites use your email address) and pws and is just assuming that a lot of people use just one or two pws so he'd get lucky frightening someone. But it does illustrate why a pw manager is the way to go and you should NEVER re-use passwords.


I downloaded my password list off LastPass and cross referenced all the sites I used that combination of password and email-address-as-username ... and found about a dozen. Only a couple of which are sites I actually use (so I changed those).



Anyway Justin sent me the following link when I talked to him about it https://haveibeenpwned.com/ and it looks like I had been "pwned" and two of the web sites I use had been breached (disqus and plex). So glad I changed those PWs today.

[Irving]

Can you post more about LastPass? How easy is it to use? Is it a cloud thing? Do you pay for it?

[CS1983]

How is that sophisticated?

I had an interesting one a few weeks ago when trying to sell some tires on CL. Had someone who said they wanted to buy. OK, cool. Then I get a Google Voice verification text. The guy then immediately texts he wants me to tell him the number to verify I'm real. HA! So basically they were trying to get people to verify their own phone numbers in order to get new Google voice numbers for further scams.

I use KeePass. Free. Can export the DB. Easy to use.

[Zundfolge]

Can you post more about LastPass? How easy is it to use? Is it a cloud thing? Do you pay for it?

LastPass is free and easy to use ... although they also have a "premium" version (not sure what that gives you).

basically you set up one password to LastPass and it will automatically generate complex passwords for you and store all those passwords online so you can access them any time you need them.

The important thing is that it allows you to use a different password on every site you log into so you aren't reusing passwords (which is bad opsec).

https://www.lastpass.com

[Skip]

Yup.

Got the "we turned your webcam on" one too. I don't have a webcam on my primary dev desktop machine and my laptop is blocked out all the time. I don't do video conferencing, ever.

Another tip I learned is to incorporate the site/name in the PW. Again, my PWs are never the same and complex but I will put the initials or short name of the site somewhere in there so if it's compromised I know which one was hit. You can still use a PW vault with this too!

[davsel]

So, what happens when LastPass gets hacked?

[O2HeN2]

So, what happens when LastPass gets hacked?

Assuming it works like 1Password.com that I use, nothing. They don't have anything but encrypted data that even they can't decrypt. I'll give more details when I'm on a real keyboard.

O2

[Irving]

Does last pass just autofill the passwords when you go to the site like Google will (if you allow)? I'll have to check it out when I get home. My current system of keeping track of passwords is likely less than desirable. What do you do for a spouse to have access in the event of your death? Keep the LastPass password written down in a separate location?

[Zundfolge]

Does last pass just autofill the passwords when you go to the site like Google will (if you allow)? I'll have to check it out when I get home. My current system of keeping track of passwords is likely less than desirable. What do you do for a spouse to have access in the event of your death? Keep the LastPass password written down in a separate location?

I keep a copy of my lastpass password on a tiny slip of paper in my wallet.

[Irving]

I've heard rumors of people using realistic sounding voice recordings to say kids have been kidnapped, but nothing I can confirm. And with AI face replacement stuff scammers can and will be getting more sophisticated, but it also makes denying stuff easier IMO.