Hey CyberPeeps .... Got a minute?

[Five_Inch_Heels]

Some of you have implied in various posts that you work in back offices of cyber security jobs, or have in the past. I can't remember who, and don't want to bother if you're not interested.

There may be something sorta big brewing that started over this last weekend involving Chase. Seeking verification whether it did or not.

Not really a Lit thing, so may be best to do it via PM and this thread can go away in a while after contact is made.

 

[Jackie.Hikaru]

Chase as in the bank?

 

[Five_Inch_Heels]

Yup.


More specifically, one of their marketing partners.

 

[Jackie.Hikaru]

Hope it’s nothing too serious
I have an account with them lol

 

[jsmiam]

Keeping in mind there are always multiple breaches at any given time, it’s probably the Salesforce one, which in turn meant customer data of lots of companies, big ones, ended up part of it.

It’s basically inescapable. Hacks at other places can impact you when all you did was have an account (ever).

 

[PennyThompson]

Set up two-factor authentication on every account where it's an option, especially anything financial related!

Passwords get leaked constantly, but a scammer won't be able to access your account if they have your password but also require access to your phone to log in to an account.

Of course, then you have to be on th lookout for phishing attempts that will try to get you to share a 2FA one-time code with them...

 

[jsmiam]

Good advice, Penny. Also, don’t reuse the same password at more than one place. That way if one of the 100 username+passwords you have gets leaked and published/sold on the dark web, the other 99 are still unleaked.

Reused passwords are a top danger nowadays.

I haven’t fully gone the way of the password manager yet. Or passkeys. I know I should. My phone life is on one technology ecosystem and my computer life on another, and the technology of both crossing platforms and co-owning some accounts between household members isn’t quite all the way there yet.

 

[iwatchus]

If you can, use a password manager.

I admit I repeat a basic password structure for accounts I don't really care if they are hacked. I don't really care if someone reads Scientific American using my credentials.

 

[UsuallyPresent]

If you can, use a password manager.

I admit I repeat a basic password structure for accounts I don't really care if they are hacked. I don't really care if someone reads Scientific American using my credentials.

The other side of this - with a password manager that's available over the tech you use (Android, iOS and Win for me), the passwords you use should NOT be human-readable unless there's a limit on what you use the passwords for. Streaming thru a 'smart' (HAH!) TV or the like typically requires using a cursor to hunt-and-peck a password into the system, which frequently also limits the characters you can use.

Even then, longer passwords are generally better than short ones. *MOST* sites with passwords are finally getting rid of max-length or upping max length to useful numbers. I have two that are less than 20 characters in length due to the site's limitations, and the great majority are well over that.

For a LOT more depth, a good moderate-dive on how longer passwords make it harder for attackers can be found at

https://www.reddit.com/r/cryptography/comments/874nph/using_modern_computers_how_long_does_it_take_to

 

[Five_Inch_Heels]

This is not related to passwords or users. This is a high level hack, IF it happened at all. That's the problem, I can't verify if it happened or not. There hasn't been any consumer level news, probably because it didn't affect consumers, or they don't know yet if it did.

I'm looking for someone that has higher level insider access to such tech based news. Several posters have made such claims, but I can't recall who.

 

[iwatchus]

Combinatorics is a bitch, but she rules.

Increasing the space of characters you use helps as well. It's why many sites now require upper case, lower case, digits and punctuation. Using the entire printable ascii set instead of of just a-z makes a ten character password roughly a million times harder to crack. At least if you are not just using simple substitutions (! for 1 3 for E, etc.)

I had a student who had memorized the key sequence to drop into Cherokee and had the second half of his password in Cherokee. None of the standard hacking tools would ever crack that.

This would not work on your TV, but I don't let my TV be connected to the internet anyway.

 

[NotWise]

Bloomberg.com reports cypersecurity breaches at financial institutions. I checked their cybersecurity reports dating back to August 28 and found no reports of a breach at Chase or at JP Morgan Chase.

That doesn't mean it didn't happen.

 

[Five_Inch_Heels]

The entity involved might be called Merkel or similar.

 

[shelleycat1]

I'm retired now. Still involved in a semi-amateur way.

When I was working I would never have reported to any forum, no matter how anonymous I might think I might be, something that would have got me sacked, possibly imprisoned and unable to work again in the field. I think you are being optimistic that anyone is going to answer you as an anonymous person on a forum something that could be life-changing.

And yes

the password manager yet. Or passkeys. I know I should.

Do what they said. I still use a throwaway password that is semi-regular on things that don't matter. Not on anything serious. And 2FA where it matters.

 

[Five_Inch_Heels]

All we know so far is that a number of web pages were down without explanation. Many of them are coming back, but edited and some parts don't work as they used to.

 

[alohadave]

If you can, use a password manager.

I admit I repeat a basic password structure for accounts I don't really care if they are hacked. I don't really care if someone reads Scientific American using my credentials.

I have a gmail address using my name, from the invite days, so I get emails from other people with my name all the time. I don't know if they think that they have my address, or they are just using it as a throwaway address to sign up for stuff.

Like, 'I' apparently have several cars across the country; I work in real estate in Australia; I've purchased expensive software, etc. The thing that tops it off though is one asshole in Nova Scotia that signed up for a ton of paid magazines. I got tired of getting those so in a fit of pique, I changed every password I had access to. I looked him up and nearly called him to tell him to knock it off, but decided not to bother. I haven't gotten any from there in many years now.