Hughesnet Community

Hackers are using people's email addresses

cancel
Showing results for 
Search instead for 
Did you mean: 
MarkJFine
Professor

Hackers are using people's email addresses

Received three emails in succession from a peer-to-peer energy transfer site: account notification, account verification, and a welcome email all in a matter of seconds of each other.

 

I quickly went to the site and reset whatever password was set to make sure it doesn't get used, and so they can't just recreate a new account with the same email.

 

Upon re-logging in after establishing the new password, they asked to resend an email verification, which I guess they never initially received - and that's a good thing.

 

Hackers have been targeting automated signup routines in websites for a long time, but this is the first time I've actually caught one using my email address and a phony password in the process.

 

This is truly scary stuff.


* Disclaimer: I am a HughesNet customer and not a HughesNet employee. All of my comments are my own and do not necessarily represent HughesNet in any way.
16 REPLIES 16
maratsade
Distinguished Professor IV

That stinks. 

GabeU
Distinguished Professor IV

I had my email hacked a few years back.  It was my own fault, as I was using a weak password.  Now, even though I change the password on a regular basis and to something that would probably take the greatest password cracker in the world weeks to figure out, if not months, my email address is still spoofed, and sometimes back to me.  

 

There's nothing I can do about it now, and the only option I really have if I ever want to truly not deal with it anymore is create a new email address.  And, in reality, I should.  It just stinks as I've had my email address since 1998.  😞  

maratsade
Distinguished Professor IV

"something that would probably take the greatest password cracker in the world weeks to figure out, if not months, "

 

What if they use brute force?  I was told once that there are tools that can crack any password. 

GabeU
Distinguished Professor IV


@maratsade wrote:

"something that would probably take the greatest password cracker in the world weeks to figure out, if not months, "

 

What if they use brute force?  I was told once that there are tools that can crack any password. 


They probably can, but the longer and more complex it is the harder it is.  Mine's presently 16 characters and uses upper case and lower case letters, numbers and symbols in no discernible order.  

 

Granted, my statement about how long it would take is an exaggeration, but my password is a bit more complex than "Password12345".  😛  

maratsade
Distinguished Professor IV

"but my password is a bit more complex than "Password12345". "

 

That's my password for everything!  LOL

GabeU
Distinguished Professor IV

I used "dude" for a password on a site I really didn't care about a couple of years ago.  And the worst part is the fact that the website actually allowed me to use a four character password, and just lowercase letters.  

 

It wasn't a time when I used my normal email address for the account sign up.  

maratsade
Distinguished Professor IV

"I used "dude" for a password on a site I really didn't care about a couple of years ago."

 

CIA level stuff, man.  LOL

 

I use very long passwords if allowed, but many places don't let you use anything longer than 8 characters. 

GabeU
Distinguished Professor IV


@maratsade wrote:

 

 

I use very long passwords if allowed, but many places don't let you use anything longer than 8 characters. 


It's very annoying.  Many don't allow you to use characters other than letters and numbers, either.  They need to get with 2018.  

maratsade
Distinguished Professor IV

That annoys me too, because I use characters.  I don't know why some places don't allow them.  I know nothing about this stuff, so I wonder, is it more expensive or cumbersome to the site to allow long passwords and the use of characters?

 

 


@GabeU wrote:

.  Many don't allow you to use characters other than letters and numbers, either.  They need to get with 2018.  

 

GabeU
Distinguished Professor IV


@maratsade wrote:

I know nothing about this stuff, so I wonder, is it more expensive or cumbersome to the site to allow long passwords and the use of characters? 


Good question.  It probably is more difficult to allow longer passwords and or additional characters, but that they don't do so, regardless, is just "bad business".  😞 

The thing nowadays, is that although my email account wasn't hacked. They're using valid email addresses to use as the From in spam as well as to hack other web sites - just in case each system checks to see if it's real.


* Disclaimer: I am a HughesNet customer and not a HughesNet employee. All of my comments are my own and do not necessarily represent HughesNet in any way.
GabeU
Distinguished Professor IV


@MarkJFine wrote:

The thing nowadays, is that although my email account wasn't hacked. They're using valid email addresses to use as the From in spam as well as to hack other web sites - just in case each system checks to see if it's real.


Yep.  The first time I ever saw that I immediately looked at my sent folder, and when I saw nothing was there I was stunned.  Stunned that they could do that.  And I have no doubt, though I didn't try, that if I replied to it the reply would have come to me.   It's crazy.   They're getting REALLY slick with the things they can do.  No more 1 for I or 0 for O.  It's spot on, today.  Scary.  

maratsade
Distinguished Professor IV

I imagine there's nothing much that can be done?

 


@MarkJFine wrote:

The thing nowadays, is that although my email account wasn't hacked. They're using valid email addresses to use as the From in spam as well as to hack other web sites - just in case each system checks to see if it's real.


 

 

An admin can set a validation with the server so when the email client goes to address it before a send (HELO), the server can see if that address had permission to send. The silly part is that it doesn't stop it from proceding. It just notes it in the headers. I also have a setting in my DNS record.

 

Part of my spam script also looks to see if something with my email address came from the server IP it's supposed to come from. I also ignore bounce messages from servers that still respond to spams like that (they should really stop that). All that stuff goes to /dev/nul (not even Junk) unless it's valid.


* Disclaimer: I am a HughesNet customer and not a HughesNet employee. All of my comments are my own and do not necessarily represent HughesNet in any way.
maratsade
Distinguished Professor IV

So for your basic eejit on the information superhighway (say, oh, me), there's nothing much that can be done, then.  😉

Not for you, personally, but whoever you have your email with should be able to do these things if they're not in place already.


* Disclaimer: I am a HughesNet customer and not a HughesNet employee. All of my comments are my own and do not necessarily represent HughesNet in any way.