Password found in data breach

frm

Well-known member
Chrome just threw this error out to me:

1599108799440.webp


Was XF compromised? Anybody else have this issue with saved passwords here?

My PayPal one was as well...
 
this does really mean that xenforo.com was compromised. this means that the password you are using is now in a public database (likely associated with your user id which is normally your email address) so it is best to set a new password. use a site like https://haveibeenpwned.com/ to see if your email account was part of some past data breach. if you reuse password on multiple sites, it is a very good idea to change the breached password on all connected domains.
 
Right. Even third party password managers are now offering similar functionality powered by the api provided by haveibeenpwned.com. Mozilla in fact is running their own branded service powered by the same api (https://monitor.firefox.com). Not sure if they are using other sources. But I get exact notifications from both these platforms.
 
I believe I used a hardened suggested password for it so unsure how both email/password together could be known?

If they have the email and password separately, but guess, I don't think they'd let it log in cause it'd take 1000s of attempts.

I'll look more into it with the site above.

Thanks
 
the password you are using on xenforo... is it used anywhere else? this usually happens when you are reusing the same password (no matter how complicated they are) on multiple platforms. one of those platforms get breached (or leak data through public s3 buckets for instance), the email/password is now in a public database and all other web services using the same combination becomes easily compromizable.

if your password is complicated and unique to xenforo... chrome should not be showing a warning sign! unless you managed to somehow generate a complicated password that is exactly the same as someone else on the internet and his account got breached somewhere! 😁

basically hackers these days do not run every single password combination. they use these public databases of leaked passwords. so even if your email id is not attached but the password is on one of these databases, it is still considered as a compromised password.

ps. also of course enable 2fa here and everywhere else where supported. that further reduces any chances of account compromise by a lot. even if your password is breached, 2fa adds a whole lot of complications to get access to the account.
 
the password you are using on xenforo... is it used anywhere else? this usually happens when you are reusing the same password (no matter how complicated they are) on multiple platforms. one of those platforms get breached (or leak data through public s3 buckets for instance), the email/password is now in a public database and all other web services using the same combination becomes easily compromizable.

if your password is complicated and unique to xenforo... chrome should not be showing a warning sign! unless you managed to somehow generate a complicated password that is exactly the same as someone else on the internet and his account got breached somewhere! 😁

basically hackers these days do not run every single password combination. they use these public databases of leaked passwords. so even if your email id is not attached but the password is on one of these databases, it is still considered as a compromised password.
I'll have to check if it's the same anywhere else. Surely, I used a suggested new one here.

Changing nonetheless, but can't at the moment.
 
just curious... did you press the change password button? where did it link to? there is a new web standard being considered for exactly this scenario to allow password managers to link to the exact url where the user can change his/her password. it is easy to implement. apple is already using it. chrome would get it in a future update. mozilla is considering it.


it's pretty simple to implement. i have done it on my board. never got a chance to test it out though!

https://xenforo.com/.well-known/change-password could be set to redirect to https://xenforo.com/community/account/security.

xenforo devs might consider implementing it. Not sure if it should be a core feature and if I should post this as a feature request.
 
Last edited:
I've had the same password at XF since the beginning and fairly certain that I used a suggested password and saved it.

That's why I find it odd...

It's a lot of randomness to get that same suggested password 2 times.

Assuming 50 characters can be used that's a 1 in 50×50×50×50×50×50×50×50
×50×50 chance of getting it twice?
 
right. seems weird if it is a unique password and has not been reused. i am not seeing the same alert for my password (set fairly recently though) for xenforo.com. (you could try a google search for that old password if you still have it stored somewhere and see if there are results for that. pastebin is a popular destination for password dumps.)
 
No results found but still updated the password.

Didn't see any login attempts from anywhere other than my area in the customer panel, so that's a plus, I suppose.

If that password was used elsewhere, and was part of another data breach, it was likely compromised. There is probably a couple hundred billion records out there that have been breached from multiple parties that could have had your password.
 
If that password was used elsewhere, and was part of another data breach, it was likely compromised. There is probably a couple hundred billion records out there that have been breached from multiple parties that could have had your password.
That's why I also use 2FA (not here) on most things, but 2FA can even be faked now... there's no win. :-P
 
2FA can be faked? Please explain?
There's a ton of stuff on this:

The most recent of which was the Reddit Trump hack where the hackers used this or completely breached the system:
 
Back
Top Bottom