I saw the news recently that "compromised accounts" had been banned.

What is a compromised account?
How do I avoid/prevent my account being compromised?
Will I be notified if my account is compromised?
Is the site still safe?

Compromised means a malicious actor somehow got the password and accessed the account. The Mods spent several hours cleaning up various types of spam from a bunch of hacked accounts and banning them. (Over 25,000 Mod Actions were taken! Thanks, Mods!) You could always change your password if you're concerned.

crocogator said:
Compromised means a malicious actor somehow got the password and accessed the account. The Mods spent several hours cleaning up various types of spam from a bunch of hacked accounts and banning them. (Over 25,000 Mod Actions were taken! Thanks, Mods!) You could always change your password if you're concerned.

Was e621 hacked?

disposableyeens said:
Was e621 hacked?

It's more likely the passwords were leaked from some password manager site. If e6 itself was hacked, I'd suspect the site would go down for a bit and everyone would be forced to reset their passwords.

disposableyeens said:
Was e621 hacked?

No, many other sites were. The problem is when people reuse passwords from those sites here. You can avoid such trouble by using a reputable password manager.

https://haveibeenpwned.com

disposableyeens said:
Was e621 hacked?

A series of threads were made that had a four digit number at the end. I didn't see the entirety of it, but I'm assuming they were planned to be posted in the thousands. And from that, that a massive amount of accounts had to have either been stockpiled over time, or accessed all at once. I'm seeing it more likely that at least a momentary breach happened, since stolen accounts would've been recovered as the creators reached out to staff.
I'm going to say change your password. Maybe even your email address, if you don't want it associated with this account.

letforeverfinallydie said:
A series of threads were made that had a four digit number at the end. I didn't see the entirety of it, but I'm assuming they were planned to be posted in the thousands. And from that, that a massive amount of accounts had to have either been stockpiled over time, or accessed all at once. I'm seeing it more likely that at least a momentary breach happened, since stolen accounts would've been recovered as the creators reached out to staff.
I'm going to say change your password. Maybe even your email address, if you don't want it associated with this account.

I have an email specifically for my furry stuff, is that good enough?

When I looked at the forums 3 hours after the raid (and around the time when mods started cleaning up the forum,) there were 14 and a half pages of spam threads. Though it seemed like some accounts started to get reused for threads after awhile.

anicebee said:
When I looked at the forums 3 hours after the raid (and around the time when mods started cleaning up the forum,) there were 14 and a half pages of spam threads. Though it seemed like some accounts started to get reused for threads after awhile.

It was at least 100 pages of spam forum threads, plus some blips and sets created by the hacked accounts.

disposableyeens said:
I have an email specifically for my furry stuff, is that good enough?

It's good practice to separate your interests with different emails. Like gattonero said above, make sure you use strong passwords and don't reuse passwords across sites. A good modern password manager can generate long, high-entropy passwords and autofill them in fields if you want. Chrome and Firefox both have built-in password generators nowadays so you don't necessarily need a third-party solution, either.

crocogator said:
It was at least 100 pages of spam forum threads, plus some blips and sets created by the hacked accounts.

everything after topic #47625 but before topic #53932 were spam threads (that's more than 6300 threads), most of the blips between blip #128786 and blip #132636 (~3840 blips) and a boatload of sets created. also several of the compromised account's profiles were modified to expose email addresses.

dba_afish said:
everything after topic #47625 but before topic #53932 were spam threads (that's more than 6300 threads), most of the blips between blip #128786 and blip #132636 (~3840 blips) and a boatload of sets created. also several of the compromised account's profiles were modified to expose email addresses.

jeez

this is extremally concerning, i believe we never had an mass branching of passwords as bad at this one, literaly thousands of accounts got compromised

not mountains of people will need to rebuild their account from zero, but during the process of people getting new accounts, countless trolls can take advantage of the chaos

does anyone have any idea of who can be the culprits?

eranormus said:
this is extremally concerning, i believe we never had an mass branching of passwords as bad at this one, literaly thousands of accounts got compromised

not mountains of people will need to rebuild their account from zero, but during the process of people getting new accounts, countless trolls can take advantage of the chaos

does anyone have any idea of who can be the culprits?

It was probably just the same breach as FA's Gregging, don't use online password managers, don't use the same password for everything, and certainly don't use your email password for anything else, and 99% of issues go away.

eranormus said:
this is extremally concerning, i believe we never had an mass branching of passwords as bad at this one, literaly thousands of accounts got compromised

not mountains of people will need to rebuild their account from zero, but during the process of people getting new accounts, countless trolls can take advantage of the chaos

does anyone have any idea of who can be the culprits?

Most of the accounts were abandoned accounts with little/no activity or even avatars. Old and inactive accounts are easier to compromise since they're more likely to not have changed passwords in a long time as well as have a good chance to be throwaway accounts with garbage passwords.

votp said:
It was probably just the same breach as FA's Gregging, don't use online password managers, don't use the same password for everything, and certainly don't use your email password for anything else, and 99% of issues go away.

FA's Gregging?

disposableyeens said:
FA's Gregging?

FA recently had a bunch of compromised accounts start spamming Gregg, most were of the same "category" of old/unused accounts as happened here.

dba_afish said:
everything after topic #47625 but before topic #53932 were spam threads (that's more than 6300 threads)

RIP topic #50000

I have recently got unbanned from my account being compromised apparently.
My email isn't pwned, I use offline opensource password manager program, my other accounts are untouched, the only way I was hacked is by my weak generated password.

Always use strong long passwords with uppercase and lowercase, numbers, special characters and extended ASCII !

moojuicers said:
I have recently got unbanned from my account being compromised apparently.
My email isn't pwned, I use offline opensource password manager program, my other accounts are untouched, the only way I was hacked is by my weak generated password.

Always use strong long passwords with uppercase and lowercase, numbers, special characters and extended ASCII !

That advice aged like roast beef, haha!
Length is King, all that matters is ease of guessing, restrictions/requirements on characters can sometimes make it easier to crack, that's all.

Which itself is dated advice. Now they're recommending cryptographic solutions like authenticators (2FA, not stupid SMS or email stuff). TBF, all my servers use key pairs to login to shells, because passwords on SSH is crazy talk. That however is not any kind of 2FA unless using a passphrase, and doesn't really meet the requirements that are the entire point even if it is (passphrase can get compromised with keyloggers).

moojuicers said:
Always use strong long passwords with uppercase and lowercase, numbers, special characters and extended ASCII !

Most password fields won't even accept Extended ASCII... let alone having the input not being compatible with mobile devices.

alphamule said:
That advice aged like roast beef, haha!
Length is King, all that matters is ease of guessing, restrictions/requirements on characters can sometimes make it easier to crack, that's all.

Which itself is dated advice. Now they're recommending cryptographic solutions like authenticators (2FA, not stupid SMS or email stuff). TBF, all my servers use key pairs to login to shells, because passwords on SSH is crazy talk. That however is not any kind of 2FA unless using a passphrase, and doesn't really meet the requirements that are the entire point even if it is (passphrase can get compromised with keyloggers).

2FA scares me because of my personal experiences. If your device is damaged in some way, which is often not something that's predictable, you're screwed. I know because it's happened to me before. Lost my Discord account that way.

lendrimujina said:
2FA scares me because of my personal experiences. If your device is damaged in some way, which is often not something that's predictable, you're screwed. I know because it's happened to me before. Lost my Discord account that way.

A great reason why you don't use something that's only on one device
If you want something online use authy, else find some app that allows you to export and keep backups off that phone

We're still looking into how exactly those accounts were compromised, but it doesn't seem like they actually got into our systems in any way.
However a few people that have requested access to their lost accounts back have given me their passwords (unprompted I might add, don't fucking send your password over email or I will find you) and they've all been shit like their date of birth (literally just 8 digits), a name and a number, and similar.

For the love of Sithis please do follow the usual password recommendations and don't just use a password that your grandma can guess in 3 tries over tea.

donovan_dmc said:
A great reason why you don't use something that's only on one device
If you want something online use authy, else find some app that allows you to export and keep backups off that phone

Authy is a bad idea, as it's proprietary and they recently stopped supporting a desktop client.
I'd recommend Ente Auth, as it's fully open source and has clients for just about everything, a few more features than authy, and it allows you to pull all your things and migrate them elsewhere if you so chose.

Here's a password generation solution; Faceroll.

No, that's not a programme, pop a notepad open and roll your face across the keyboard like you're trying to summon Yog-Sothoth, then physically write down on a post-it note or in a book that generated password before using it.

Hopping in to recommend my two favorite password managers:

KeePassXC and KeePassDX
the former for all desktops, the later for android.

Both are open source, integrate with browsers / autofill and support TOTP (2FA).
They also both use the KDBX format, a database that contains all your passwords and is protected by your master password (make this one long!)
and can easily be used together as long as you have a cloud solution (e.g. dropbox or google drive) to store your database file in.

Is KeePassXC reliable? I can't afford Dashlane.

I both love and hate my moleskin <3

lendrimujina said:
Most password fields won't even accept Extended ASCII... let alone having the input not being compatible with mobile devices.

2FA scares me because of my personal experiences. If your device is damaged in some way, which is often not something that's predictable, you're screwed. I know because it's happened to me before. Lost my Discord account that way.

Yeah, it's why they compromised on RSA keys just needing a passphrase. Ease of use. Because Smartcards (before TPM) were not exactly the most convenient way, and to do them right, you don't directly use the main certificate. You're effectively your own CA and issue them for each device, unless you go all proprietary, and oops, lost the (physical) key, and better have a spare Yubikey to get back in. XD Note: Some of the best innovation has been making this all more ubiquitous. Just backup your root key protected with a passphrase, somewhere, and then generate unlimited device keys. Hell, you can do this entirely offline, blackbox-style.

Discord account signup is even harder on a new account than key recovery (joke, but they surely suck). It's why it pisses me off when people go behind registration wall on the tallest-walled garden, ever, while looking at me like I'm the sucker.

I agree that Authy is probably a bad idea, for mostly the mentioned reasons.

votp said:
Here's a password generation solution; Faceroll.

No, that's not a programme, pop a notepad open and roll your face across the keyboard like you're trying to summon Yog-Sothoth, then physically write down on a post-it note or in a book that generated password before using it.

LOL, or use PuTTYGen or other entropy catcher and just use at least 16 of the characters it generates for your base64-encoded key. ;)

Online password managers seem like they could be secure if just storing an encrypted copy that is useless without your passphrase and key, but I've heard horror stories of sites losing millions of passwords so they can't all be doing that.

alphamule said:
Yeah, it's why they compromised on RSA keys just needing a passphrase. Ease of use. Because Smartcards (before TPM) were not exactly the most convenient way, and to do them right, you don't directly use the main certificate. You're effectively your own CA and issue them for each device, unless you go all proprietary, and oops, lost the (physical) key, and better have a spare Yubikey to get back in. XD Note: Some of the best innovation has been making this all more ubiquitous. Just backup your root key protected with a passphrase, somewhere, and then generate unlimited device keys. Hell, you can do this entirely offline, blackbox-style.

Discord account signup is even harder on a new account than key recovery (joke, but they surely suck). It's why it pisses me off when people go behind registration wall on the tallest-walled garden, ever, while looking at me like I'm the sucker.

I agree that Authy is probably a bad idea, for mostly the mentioned reasons.

LOL, or use PuTTYGen or other entropy catcher and just use at least 16 of the characters it generates for your base64-encoded key. ;)

Online password managers seem like they could be secure if just storing an encrypted copy that is useless without your passphrase and key, but I've heard horror stories of sites losing millions of passwords so they can't all be doing that.

I still find the idea of taking something that, the only purpose of is to stop other people somewhere else from using it, and putting it where those other people can get at it, insane. I'm not worried about anyone in my house rifling through my codebook and popping into my browser to figure out what the abbreviations refer to, maybe I'm just a grumpy old fuck.

votp said:
I still find the idea of taking something that, the only purpose of is to stop other people somewhere else from using it, and putting it where those other people can get at it, insane. I'm not worried about anyone in my house rifling through my codebook and popping into my browser to figure out what the abbreviations refer to, maybe I'm just a grumpy old fuck.

Housefires happen, but yeah. I used to just keep a list for all of them and then memorize say, an 8-character additional code to keep typing at the end. It would be trolling to call that 2FA? After all, I'd still need the notepad in addition to the thing I memorized. :D

bacup, n. A northern method of backing up your computer, which basically involves writing down everything that's on it. ~ Liff Sentence