- cross-posted to:
- privacy@lemmy.ca
- privacy@lemmy.world
- privacyguides@lemmy.one
- cross-posted to:
- privacy@lemmy.ca
- privacy@lemmy.world
- privacyguides@lemmy.one
You must log in or register to comment.
This breach is worse than just a website’s database being leaked. These are info-stealer malware logs. Meaning that you had malware on one of your devices that recorded you typing your credentials into websites and then the logs of that malware were publicly leaked.
Before changing all of your passwords (and setting up a password manager if you don’t already use one) you need to identify which of your devices was compromised and wipe it.
If you change all your passwords from the compromised device then the malware will just record all of your new passwords.
How would one identify which device was compromised?
Assume all of them are infected.
Turn off your computer and make sure it powers down. Toss it in a 43-foot hole in the ground. Bury it completely rocks and boulders should be fine. Then burn any clothes you may have worn any time you were onliiiine
Wait a sec my grandmother is calling me about some pictures I apparently sent her
Instructions unclear, I don’t speak Swahili
That advice is a bit too weird;)
Which password manager is good? I use Bitwarden but it would take forever to change all my passwords inside of it
Bitwarden have a good balance of security, price and convenience. If you want more control and less convenience, KeePass.
Keepassxc
The best IMO because it’s just a client you install on a device which reads an encrypted data file you can sync how you like.
This way it’s not a hoard like lastpass or bitwarden.
And keepass2Android
Personally, I use KeePassDX for my android client, but either works. I use Syncthing to sync changes between devices, though I think the android version of that stopped being supported a few months back, but it still works fine for now.
I am doing the same, all I need is keepassdx to support passkeys now
Any thoughts on 1Password?
Last time I used it was very convenient, but the price was too high for me. Besides that, I bought 1pass when was possible to buy once and have it forever, since then, they made increasingly harder to access it if you bought instead of use as a paid service. That’s why I made the change to KeePass. The only thing that 1pass offers that could justify their business model as a service is sync on multiple devices, and bitwarden does that as well. KeePass don’t, but you can make it happen with free Dropbox for example.
I had an internship a couple years back at a web development startup that used it. Seemed to work just fine.
Bitwarden.
Do you have a clue about what haveibeenpwned is?
For those wondering what this is Troy Hunter (HIBP founder) wrote an article on this new feature.
That’s a great pseudonym, if it is one. Troy Hunter, i.e. hunter of trojans. Fantastic
Assuming this email is legit, the best thing that you can do is change as many of your passwords as possible to be unique and complex. You may also want to consider deleting old email addresses and getting new ones. Alternatively you can separate your emails addresses by having one for signing up for spammy services, one for personal stuff, one for work/school, etc. Try not to have much overlap between them all.
Edit: I also highly recommended using a temporary email for signing up for stuff whenever possible. I always use this one , but there are plenty of others too.
I kinda like https://yopmail.com/ as it’s much more customizable
I like grr.la because I can sign in into the services with any random name @grr.la before opening the temporarily mail site, and sometimes I find out that it wasn’t required to confirm the mail, saving some time
I also highly recommended using a temporary email for signing up for stuff whenever possible.
This is the worst security advice I have ever heard. Now someone doesn’t even need to get your password, just your email and they can just use the temporary email provider to reset your password?
For services that are throwaway, this is fine. I don’t care if someone gains access to my ice cream rewards account, they don’t have anything else important. And I believe these services only last 10 minutes, meaning you can’t password reset them because the inbox doesn’t exist.
Password manager, and use different randomly generated passwords.
The real danger is having the same password everywhere.
Also pay attention to where you save your payment info.
Everything I do online is through Privacy.com, with limits for each vendor. My amazon gets hacked? Most I’m out is $100, steam gets hacked, there goes $60. A subscription tries to double charge, lol no. Free trial wants to auto-bill me after 7 days, its not happening. Funneling everything through them isn’t 100%, but at least they’re not paypal, I get notified when ever even a 1 cent charge happens and I’m not leaving my bank card on a dozen random sites I’ll eventually loose track of.
What if my chosen service doesn’t allow me to change passwords that frequently?
It’s not that you change the passwords for each website often, it’s that you use a different password for each site. That way if one site gets hacked and your password is leaked, it can’t be used to access your accounts on other sites.
Sadly I don’t know of an alternative operating in Europe.
Revolut? I think you can create cards the same way
I do this. However I also hit the limit of disposable cards.
Turns out to not be as many as I would have thought.
Didn’t know that! Not using it but I heard you can then they decided to ban more secure custom ROMs 🤷♂️
There was a steam breach too, i changed my email and password for steam as well
Can you provide your source (no pun intended)?
That would mean you have a virus on your PC not that Steam DB has been breached, right?
If there is a virus on someone’s pc, the antimalware software would notice it, not have i been pwned. Idk who bought this bs up. Steamdb WAS breached. Not my pc was compromised, but Steam
I have not read the whole article because I’m to lazy but here is a picture from the article you posted. Antimalware is not perfect and cannot detect every threat on your PC. There have been cases of game developer accounts being hacked and then updates being pushed through those hacked accounts including stealer malware / spyware which would then be installed on your PC, which is not a Steam Database breach but a Steam Developer Account Hack. Maybe Steam should have stopped those updates IDK I’m no malware expert. EDIT: Btw. the last Steam Database breach I could find in my 2 mins of searching the web was in 2015.
That didn’t happen in my case, since i do not update my games, as they are mostly downloaded from fitgirl repacks
I think you missed the entire premise of the article you linked - the “stealer logs” mean someone logged into your account on a system that had been breached (infected with malware), and the “stealer” “logged” those credentials.
Also, SteamDB and Steam are two very different things. SteamDB is an independent third party offering that just tracks Steam data via their API.
Steam notifies about every login attempt and 2FA is also set. No way they could do that without me noticing. Haveibeenpwned only reports central database leaks, not user-side leaks
Nasty stuff, stealer logs. I’ve written about them and loaded them into Have I Been Pwned (HIBP) before but just as a recap, we’re talking about the logs created by malware running on infected machines. You know that game cheat you downloaded? Or that crack for the pirated software product? Or the video of your colleague doing something that sounded crazy but you thought you’d better download and run that executable program showing it just to be sure? That’s just a few different ways you end up with malware on your machine that then watches what you’re doing and logs it, just like this:
These logs all came from the same person and each time the poor bloke visited a website and logged in, the malware snared the URL, his email address and his password. It’s akin to a criminal looking over his shoulder and writing down the credentials for every service he’s using, except rather than it being one shoulder-surfing bad guy, it’s somewhat larger than that.
Seriously, read the article you posted. YOU probably attempted to log in and the virus on YOUR computer you seem to be in HEAVY denial about captured your info. You’re lucky the 2FA probably prevented the people who are are logging activity from your PC from accessing your Steam account.
The article you posted clearly defines stealer logs, and the email you screenshot clearly says your info is in a stealer log breach - I don’t know what more to say. You clearly have all the information you need, you just don’t want to process it.
YOU LOGGED INTO STEAM ON AN INFECTED COMPUTER AND ARE PROBABLY STILL USING THAT SYSTEM. YOUR COMPUTER HAS A VIRUS.
Stealer logs is pretty bad. Very bad to be fair. It means your computer is infected and have stolen all your saved passwords.
Reinstall your operating system completely. Take note of your accounts and change all their passwords. Start with your email address as its the most important one.
No, it was steam that was breached. Haveibeenpwned notices you about major central data leaks. It is not an anti-malware
Start changing passwords mon ami
Get a password manager and just start going from site to site and change em up. Use strong ones and store them in the pass manager. Start with critical ones like banks, email accounts, and government stuff, and then keep going…
Bitwarden is great, you can also optionally self-host it with vaultwarden.
I personally also suggest KeePass2 for an offline vault storage that you can use with Syncthing to synchronize so the data never leaves your devices.
It’s worth mentioning that both these programs are subject to leaks in machines infected with malware like OP’s was, so maybe if malware is a problem you deal with regularly, i suggest the online options.
This is really scary can you think of anything that infected your devices and stole your data? I heard about a massave data leak a weak ago :(
That’s not what happened
i get confused easy
