Password found in data breach
- Thread starter frm
- Start date
Chromaniac
Well-known member
this does really mean that xenforo.com was compromised. this means that the password you are using is now in a public database (likely associated with your user id which is normally your email address) so it is best to set a new password. use a site like https://haveibeenpwned.com/ to see if your email account was part of some past data breach. if you reuse password on multiple sites, it is a very good idea to change the breached password on all connected domains.
Chromaniac
Well-known member
it is part of chrome functionality visible here: chrome://settings/passwords. it is also available here https://passwords.google.com/. you would get alerts if you have enabled the option here: chrome://settings/security (at least standard protection).
Mouth
Well-known member
Ah, thanks. Never use browser password management/sync, always rely on seperate password management app(s).
Chromaniac
Well-known member
Right. Even third party password managers are now offering similar functionality powered by the api provided by haveibeenpwned.com. Mozilla in fact is running their own branded service powered by the same api (https://monitor.firefox.com). Not sure if they are using other sources. But I get exact notifications from both these platforms.
frm
Well-known member
I believe I used a hardened suggested password for it so unsure how both email/password together could be known?
If they have the email and password separately, but guess, I don't think they'd let it log in cause it'd take 1000s of attempts.
I'll look more into it with the site above.
Thanks
If they have the email and password separately, but guess, I don't think they'd let it log in cause it'd take 1000s of attempts.
I'll look more into it with the site above.
Thanks
Chromaniac
Well-known member
the password you are using on xenforo... is it used anywhere else? this usually happens when you are reusing the same password (no matter how complicated they are) on multiple platforms. one of those platforms get breached (or leak data through public s3 buckets for instance), the email/password is now in a public database and all other web services using the same combination becomes easily compromizable.
if your password is complicated and unique to xenforo... chrome should not be showing a warning sign! unless you managed to somehow generate a complicated password that is exactly the same as someone else on the internet and his account got breached somewhere!
basically hackers these days do not run every single password combination. they use these public databases of leaked passwords. so even if your email id is not attached but the password is on one of these databases, it is still considered as a compromised password.
ps. also of course enable 2fa here and everywhere else where supported. that further reduces any chances of account compromise by a lot. even if your password is breached, 2fa adds a whole lot of complications to get access to the account.
if your password is complicated and unique to xenforo... chrome should not be showing a warning sign! unless you managed to somehow generate a complicated password that is exactly the same as someone else on the internet and his account got breached somewhere!
basically hackers these days do not run every single password combination. they use these public databases of leaked passwords. so even if your email id is not attached but the password is on one of these databases, it is still considered as a compromised password.
ps. also of course enable 2fa here and everywhere else where supported. that further reduces any chances of account compromise by a lot. even if your password is breached, 2fa adds a whole lot of complications to get access to the account.
frm
Well-known member
I'll have to check if it's the same anywhere else. Surely, I used a suggested new one here.the password you are using on xenforo... is it used anywhere else? this usually happens when you are reusing the same password (no matter how complicated they are) on multiple platforms. one of those platforms get breached (or leak data through public s3 buckets for instance), the email/password is now in a public database and all other web services using the same combination becomes easily compromizable.
if your password is complicated and unique to xenforo... chrome should not be showing a warning sign! unless you managed to somehow generate a complicated password that is exactly the same as someone else on the internet and his account got breached somewhere!
basically hackers these days do not run every single password combination. they use these public databases of leaked passwords. so even if your email id is not attached but the password is on one of these databases, it is still considered as a compromised password.
Changing nonetheless, but can't at the moment.
Chromaniac
Well-known member
just curious... did you press the change password button? where did it link to? there is a new web standard being considered for exactly this scenario to allow password managers to link to the exact url where the user can change his/her password. it is easy to implement. apple is already using it. chrome would get it in a future update. mozilla is considering it.
web.dev
it's pretty simple to implement. i have done it on my board. never got a chance to test it out though!
xenforo devs might consider implementing it. Not sure if it should be a core feature and if I should post this as a feature request.
Help users change passwords easily by adding a well-known URL for changing passwords
By redirecting requests to /.well-known/change-password to the change password URL, you can let users update their passwords easier than before.
web.dev
it's pretty simple to implement. i have done it on my board. never got a chance to test it out though!
https://xenforo.com/.well-known/change-password could be set to redirect to https://xenforo.com/community/account/security. xenforo devs might consider implementing it. Not sure if it should be a core feature and if I should post this as a feature request.
Last edited:
frm
Well-known member
I've had the same password at XF since the beginning and fairly certain that I used a suggested password and saved it.
That's why I find it odd...
It's a lot of randomness to get that same suggested password 2 times.
Assuming 50 characters can be used that's a 1 in 50×50×50×50×50×50×50×50
×50×50 chance of getting it twice?
That's why I find it odd...
It's a lot of randomness to get that same suggested password 2 times.
Assuming 50 characters can be used that's a 1 in 50×50×50×50×50×50×50×50
×50×50 chance of getting it twice?
Chromaniac
Well-known member
right. seems weird if it is a unique password and has not been reused. i am not seeing the same alert for my password (set fairly recently though) for xenforo.com. (you could try a google search for that old password if you still have it stored somewhere and see if there are results for that. pastebin is a popular destination for password dumps.)
frm
Well-known member
ManagerJosh
Well-known member
frm
Well-known member
That's why I also use 2FA (not here) on most things, but 2FA can even be faked now... there's no win.
ManagerJosh
Well-known member
frm
Well-known member
There's a ton of stuff on this:
Does Two-Factor Authentication Really Make You Safer?
Two-factor authentication, or 2FA, is becoming increasingly common, but one reader points out that it seems easy to get around its protection. Is he right? Security expert Max Eddy takes a look.
The most recent of which was the Reddit Trump hack where the hackers used this or completely breached the system:
Hackers Flood Reddit With Pro-Trump Takeovers
By apparently compromising moderator accounts, the attackers were able to post MAGA materials all over at least 70 popular subreddits.
Similar threads
