Have your credentials been snooped?

[Ruby Eyes]

So I found the email address  that I'm using for dragcave.net (and dragcave ONLY, not even for the forums) here: https://haveibeenpwned.com/

Unsurprising, since I also recently received some wannabe blackmail spam with that email address AND my old password (has been changed a while ago). The sender wants bitcoins for a video that cannot possibly exist - how do they hack a webcam if the computer has none?

 

Looks like another game's account has been leaked for me as well, also last.fm. Luckily, neither my work nor my payment addresses are compromised. So far, knock on wood.

 

Do you find yourself in there?

[Confused Cat]

Curses. My main email address is listed as "pwned" because of Tumblr and Patreon (which I already knew, and changed the passwords years ago), but apparently it's also in the new thing they call "Collection #1" - and there is no way to find out which of my passwords is in that list? (Except for trying to remember all the passwords I've ever used and entering them individually on their password search page...)

[Fuzzbucket]

Yeah - there seems no way to check. But my MAIN address is safe - I don't use it for ANYWHERE important - just for email !

[Ruby Eyes]

1 hour ago, Confused Cat said:

the new thing they call "Collection #1"

Its contents are not really that new, I think. It's just a collection from various sources of stuff gathered through the years.

Basically, just change your password everywhere where you use that address, including the email account itself *shrugs*

[-----]

that's weird that your dc-only email's been flagged - i've asked my sisters and of the 4 of us, only one email address has been breached (which is an email she uses for everything, so...).  i also use my email for pretty much everything and it hasn't been flagged up or anything.

[Ruby Eyes]

30 minutes ago, ----- said:

that's weird that your dc-only email's been flagged - i've asked my sisters and of the 4 of us, only one email address has been breached (which is an email she uses for everything, so...).  i also use my email for pretty much everything and it hasn't been flagged up or anything.

You joined last year, right? I suspect it's similar with your sisters. Your passwords may simply have NOT YET existed back when my data was stolen.

[-----]

1 minute ago, Ruby Eyes said:

You joined last year, right? I suspect it's similar with your sisters. Your passwords may simply have NOT YET existed back when my data was stolen.

ah yeah, i joined back in october. but my sisters joined much earlier - according to their scroll dates, one joined back in 2009, another joined in may 2011, and another joined in nov 2011. the 2nd person was the only one to have her email 'pwned'.

[Ruby Eyes]

And the others didn't change their email address for DC within the past 2-3 years? Just wondering

[-----]

sister from 2009 is out rn but the other two say they've used the same emails since they started playing. so i have no idea why yours is different, but either way we all plan to change/improve our passwords.

[_Charky]

I already messaged TJ about this the other day. I got the same email Ruby did, and decided I should check in on it  I'm not about to share the contents of the messages, but basically:

 

The leak isn't new. The information they have on me is from at least a few years ago.

Both the site and the forum currently have adequate security, and they're using the current best encryption method.

He pointed me to This forum post, which I'd missed at the time, but it certainly seems to line up with the timeframe.

TJ himself can't find his dragcave information in the pwned database, but I know that my old dc-forum-only password, along with at least a few friends', appears 4 times in the database. It looks like some portion (but not all of) the forum data was pwned. I imagine it has been doing the rounds for a while, but that it's recently resurfaced- hence the influx of blackemails.

 

As Mentioned above, you can check https://haveibeenpwned.com/ to see if your email was on a breached site.

 

There's also another page,  https://haveibeenpwned.com/passwords , which allows you to test any individual passwords. 

 

 

Edited January 18, 2019 by dracocharky

[Ytak]

Looks like two of my three have.  But not the one I use for more official stuff.  Guess I'll just have to live with the other.  😛

[borntobefree]

Please tell me that you people are not inputting your email addys to those sites to check to see if you've been flagged, and then going to a related site to see if you commonly used passwords are being used...OMG please just don't do that. The same with those FB and other social media scams..tell me the 26 most personal; things about you that tend to be the most used security questions on almost every major banking site!!! Gahh Thought you younger kids where waymore cyber security savy than that!

 

If you belong to a site which may have been breeched go to the site, They are required to send you a notification even if it was a tiny blip, that just possibly you might have been compromised. Contact their security,if you feel you were, and they can tell you if you had been at any risk. Never..Ever imput your information to some helpful site willing to do the checking for you, you literally just signed up for it, eventually you'll use the site again someday to check a password, and bam, they got you.

[Ruby Eyes]

4 hours ago, borntobefree said:

They are required to send you a notification even if it was a tiny blip

Except they rarely ever do. They need to *notice* it themselves first.

 

Generally, don't enter your passwords anywhere except where you want to log in. But entering your email address on the site above to check if they find it in one of these large databases is not a security issue per se. It's known to plenty of people already anyway.

Edited October 2, 2019 by Ruby Eyes

[sh20000sh]

I tried that site before. I even found one of my password variant there. Some of my email address had been appeared three times.

 

 

On 1/18/2019 at 8:25 PM, Ruby Eyes said:

The sender wants bitcoins for a video that cannot possibly exist - how do they hack a webcam if the computer has none?

I remember someone blackmailed me. It was actually low quality one as it just email spoofing and password was not mentioned. Actually I felt worried for 24 hours as I connected my computer with closed circuit TV tho.

Edited October 2, 2019 by sh20000sh

[Aniia]

11 hours ago, borntobefree said:

Please tell me that you people are not inputting your email addys to those sites to check to see if you've been flagged, and then going to a related site to see if you commonly used passwords are being used...OMG please just don't do that. The same with those FB and other social media scams..tell me the 26 most personal; things about you that tend to be the most used security questions on almost every major banking site!!! Gahh Thought you younger kids where waymore cyber security savy than that!

 

If you belong to a site which may have been breeched go to the site, They are required to send you a notification even if it was a tiny blip, that just possibly you might have been compromised. Contact their security,if you feel you were, and they can tell you if you had been at any risk. Never..Ever imput your information to some helpful site willing to do the checking for you, you literally just signed up for it, eventually you'll use the site again someday to check a password, and bam, they got you.

 

This was my first thought as well. My entering your information on these 'helpful' sites, what's to stop them from saving and collecting your information for their personal use later? In general, I try not to give out information unless its absolutely necessary. Best to just change your passwords regularly.

[borntobefree]

The FBI actually had warnings about sites like pwned being helpful, 10 years ago, or there about. Never ever check your email status on those sites, please people. Every single one of you who have used those sites please change every single password you have, on absolutely everything!!