Paranoia: Compromised Password?

Discussion about the AutoHotkey Foundation and this website
User avatar
lmstearn
Posts: 390
Joined: 11 Aug 2016, 02:32
GitHub: lmstearn
Contact:

Paranoia: Compromised Password?

Post by lmstearn » 21 Dec 2019, 08:10

As soon as logged today in AHK in there was a new popup tab in Chrome with:
Password Checkup.JPG
Password Checkup.JPG (35.88 KiB) Viewed 3411 times
"Password Checker" is now bundled into Chrome, so these types of alerts might become more common place. In my case it seems, there is more than enough to be concerned about, especially if it is leading toward some kind of Stand and deliver type of scenario.
As a matter of interest, if their password masterlist is of the order of terabytes in size, it's looking more and more like a paper tiger, who knows?
:arrow: itros "ylbbub eht tuO kaerB" a ni kcuts m'I pleH
User avatar
tank
Posts: 2855
Joined: 28 Sep 2013, 22:15
Facebook: charlie.simmons.7334
Google: ttnnkkrr
GitHub: ttnnkkrr
Location: Irving TX
Contact:

Re: Paranoia: Compromised Password?

Post by tank » 21 Dec 2019, 11:49

While curious i suspect its nothing to worry about. I havent changed my password in many years and dont get similar warnings. If our user table were exposed surely my own password would flag.

I noticed that there are other criteria for flagging. And googles warnings are none specific.
We are troubled on every side‚ yet not distressed; we are perplexed‚
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
https://www.facebook.com/ahkscript.org
If you have forum suggestions please submit a pull request
Check Out WebWriter
Thanks Tank :thumbup:
User avatar
boiler
Posts: 6830
Joined: 21 Dec 2014, 02:44

Re: Paranoia: Compromised Password?

Post by boiler » 30 Dec 2019, 00:43

@lmstearn: While tank is likely correct that the AHK forum’s passwords weren’t exposed, it doesn’t necessarily mean that your password wasn’t exposed on some other site if you re-use passwords. I was getting this same report from Chrome, and I noticed that it was flagging only sites where I used a password that I know for certain was exposed in a data breach on another particular site. I am now careful to use a unique password for each site.
ChickenFeet
Posts: 2
Joined: 22 Mar 2020, 22:06

Re: Paranoia: Compromised Password?

Post by ChickenFeet » 22 Mar 2020, 22:24

AHK Forum database has been hacked and user credentials have been leaked. USERNAMES AND PASSWORDS IN CLEAR TEXT.

You can view the hacked DB credentials in the file "Database Collection/AutoHotKey.com.txt":
https bileee.com /d-ba304cab082bad215263bd7f66902e128eccc7a3.html Broken Link for safety
http en.btdig.com /ba304cab082bad215263bd7f66902e128eccc7a3/abp=554 Broken Link for safety

Please note: The hacked credentials may be from the archived forum at https://autohotkey.com/board/

Anyone who has an account with AHK please change your password and change any other accounts that use the same password.

Admins of AHK forum can you release an official announcement about this news? The users of this site have a right to know. Admins why are you storing passwords in clear text? Please salt and hash the passwords.

Also worth noting that everyone should check https haveibeenpwned.com / Broken Link for safety / Broken Link for safety every now and then to check their email accounts.
Last edited by ChickenFeet on 22 Mar 2020, 22:49, edited 1 time in total.
gregster
Posts: 5791
Joined: 30 Sep 2013, 06:48

Re: Paranoia: Compromised Password?

Post by gregster » 22 Mar 2020, 22:49

It is already known that there was an incident in 2015 . Back then, forum members were informed via e-mail (see here, for example) and we forced a general password reset (around Nov 7-8, 2015). But I don't know any technical details.

I am not aware of any more recent events or problems... it also looks like Troy Hunt treats this list as unverified (link). My email address from back then appears on https://haveibeenpwned.com/ (from a specific hack back in 2012 - not AHK-related) and on unverified "combo lists" from 2016 that may come from that hack and/or other sources, but not for autohotkey.com (probably because that particular list is not verified and isn't explicitly included there) .

The current e-mail address that I use since Feb 2019 for autohotkey.com, doesn't appear at all (I don't get warned by Google/Chrome either) - so my guess is that this might be old data.
ChickenFeet
Posts: 2
Joined: 22 Mar 2020, 22:06

Re: Paranoia: Compromised Password?

Post by ChickenFeet » 22 Mar 2020, 22:51

Ah okay. The dates on the torrents might be a bit misleading. I did google to see if I could find any information on the leak, but google didn't come up with anything. Google might be picking up this leak now and automatically blocking logins - my login was also blocked and I am on the list of leaked users.
gregster
Posts: 5791
Joined: 30 Sep 2013, 06:48

Re: Paranoia: Compromised Password?

Post by gregster » 22 Mar 2020, 23:24

Yeah, perhaps that data began circulating more heavily just recently - but once it's out there, it will be recycled forever.
(I still get spam/scam phone calls on one of my landline phone numbers in which they explicitly ask for my former roommate - she moved out in 2007 :) ).
User avatar
nnnik
Posts: 4480
Joined: 30 Sep 2013, 01:01
Location: Germany

Re: Paranoia: Compromised Password?

Post by nnnik » 23 Mar 2020, 02:36

The old forums were a big mess - pretty sure that got fixed by now.
Recommends AHK Studio
GeekDude
Posts: 888
Joined: 02 Oct 2013, 22:13

Re: Paranoia: Compromised Password?

Post by GeekDude » 23 Mar 2020, 11:15

To quote myself from Reddit,
I'm skeptical anything was stored in plain text even then. Looking at the leak these are all really weak passwords. Some information:
  • 5043/10921 (46%) appear on the "1,000,000 most common passwords" list
  • Average length is is 8.0 (StdDev 1.8)
  • The 4th longest (16 chars) is the 605,701st most common password
  • The 3rd longest (16 chars) is the 599,206th most common password
  • The 2nd longest (18 chars) is four common words all lowercase, one of them is the, and another is two letters long.
  • The longest (20 chars) is two dictionary words, both lowercase
Top 5 email domains:

gmail.com 4462
yahoo.com 1591
hotmail.com 1321
live.com 137
mail.ru 130

I can't find my own email in that list, which indicates it's either incomplete (likely), over 10 years old (possible I guess), or both. In light of that information, I'm comfortable saying that this is not a plain text leak, this is a brute forced hashed database.

Given that distribution of email domains I suspect it's an older list, though that's more of a feeling than an evidence based claim. However, it does seem right for the time frame of the old forum hack.

I don't have any way to check if any of these accounts still exist. The latest forum software doesn't accept emails for login, the archived forum can't be logged in to, and I don't have access to anything on the site's backend.

Regardless, always practice good password hygiene. Don't reuse passwords, follow NIST guidelines for password strength, use a password manager.

If anyone would like me to check whether their email has been included in this dump, send me a direct message.
gregster
Posts: 5791
Joined: 30 Sep 2013, 06:48

Re: Paranoia: Compromised Password?

Post by gregster » 23 Mar 2020, 11:27

Thanks, GeekDude, for looking into it! :thumbup:
Post Reply

Return to “About This Community”