CHANGE YOUR PASSWORD! DDF Account Hackers Buying/Selling Gift Cards!

[Yo ssi]

There should be a 2FA badge so a user can have a bit more security

[Essen est zich]

There should be a 2FA badge so a user can have a bit more security

Or a user verified badge which would require more personal info when creating a account...

[yitzyul]

Yes my acct was hacked.
What was interesting is that
1)they never changed my password (which is usually the 1st step) or email address (then I wouldnt have known) so I suspect that the hacker didn't actually have the password (as you need the password to change it) or had a computer program that just tried numerous variations..
2) or they purposely didnt change the password as they thought that it might send me an email that it was changed...but didn't realize that all DM's send an email to my email address.
3) Another factor the DM they sent people where pretty similar to legit emails, as usually scams will lowball to try to get a deal as fast as possible. Here they didnt do that so I suspect that the hacker has been around DDF for a while and "knew" how to post or send DM's


Regardless I noticed at approx. 10 AM that I had some 20 emails in my account about people interested in gift cards so I knew that it was hacked. I immediately changed my password & emailed everyone (or almost) and told that I was hacked do not send any codes. I couldn't delete all the posts. The annoying part is that they deleted my inbox which I have messages saved for some 10+ years.

I didnt get a chance to read this thread, so could be was mentioned , but an email notification of a password reset is a must ASAP!
TY

[Alexsei]

Discord

Seen this used a lot
https://www.discourse.org/

Stick to open source

[Definitions2]

I changed my password but for some reason I can't login. I dont have the email used to register my account. I'm not sure what happened. Likely forgot the new password

I'm not selling anything in case anybody gets a message from me.

[lcm]

Even after resetting my password, still able to access via tapa

[CountValentine]

Tried email and username and no email with instructions was received.
Same for a friend. 

[AviationAtom]

How do they hack? Data breach or vulnerability?

I work in cybersecurity, so I can tell you how it often goes:
Hackers find a site that could be of some value to them, they then use a list of passwords from database breaches on other sites that have been cracked. They feed in email and password pairs with their automated bruteforcing script until the script hits. Once they find a hit they login with it and utilize that account in whatever form or fashion they can.

The best way to defeat this is always going to first and foremost be enabling two factor authentication, followed by a secure AND unique password (never used elsewhere), random security questions and answers, and lastly a unique email address per site.

A good unique password always hinges on length. Longer is better. It needn't be crazy, but it's helpful to incorporate uppers, lowers, numbers, and special characters. Password managers can often do this for you automatically, as well as keeping track of each password for each site. LastPass was mentioned as one, but I would highly recommend against it. 1Password or Bitwarden are probably two of the better and more recommended ones. A good password might look like this: garden6CAT-tortila. Easy to remember, but not super easy to crack.

1Password can also store your multifactor "Google Authenticator" tokens, and keep track of random security questions and answers.

As for unique email addresses the functionality is built into Gmail and some other providers. If your Gmail address is bob123@gmail.com then you can make your DansDeals email bob123+dansdeals@gmail.com and it will still reach the inbox of bob123@gmail.com.

If you want to check if your email and/or password has ever been in a breach then check haveibeenpwned.com to see. More than likely it has. When testing password the guy who designed the site (Troy Hunt) made it so only part of your password is hashed and is tested against the breached password database.

[biobook]

Tried email and username and no email with instructions was received.
Same for a friend. 

Did you click on Forgot your password

[CountValentine]

Did you click on Forgot your password

Yes for both.

[CountValentine]

Wouldn't a simple fix be blocking login on the third failed attempt? @AviationAtom

[AviationAtom]

Wouldn't a simple fix be blocking login on the third failed attempt? @AviationAtom

You're always trying to balance security and convenience/usability. Yes, you could block too many attempts from a single IP, but the hackers test for this. They have armies of available IP addresses from compromised hosts and can easily rotate in-between them all. You don't want to accidentally block legitimate users by saying they can't login for a long while if they accidentally have their cap locks on, or enter the wrong password a few times before recalling their correct one. It's frustrating trying to find a balance.

[CountValentine]

You're always trying to balance security and convenience/usability. Yes, you could block too many attempts from a single IP, but the hackers test for this. They have armies of available IP addresses from compromised hosts and can easily rotate in-between them all. You don't want to accidentally block legitimate users by saying they can't login for a long while if they accidentally have their cap locks on, or enter the wrong password a few times before recalling their correct one. It's frustrating trying to find a balance.

So make it ten tries as brute force will take many more tries, no?

[AviationAtom]

So make it ten tries as brute force will take many more tries, no?

It generally comes down to them trying each email address only once and having a seemingly infinite amount of IP addresses to try each new email address with. It becomes hard to attach all those unique login attempts to a single "user." You could lockdown overall logins if logins exceed a total threshold, but then you will lock out legitimate users again.

Really the best thing to do is get users to use strong and unique passwords per site. If they're old and can't figure out password managers then they should go back to the trust old password book.

AI is getting better at being able to recognize strange login patterns, but there is still a big disparity in who such technology is accessible to right now. One day it will likely be baked into most web applications though.

[Alexsei]

I work in cybersecurity, so I can tell you how it often goes:
Hackers find a site that could be of some value to them, they then use a list of passwords from database breaches on other sites that have been cracked. They feed in email and password pairs with their automated bruteforcing script until the script hits. Once they find a hit they login with it and utilize that account in whatever form or fashion they can.

The best way to defeat this is always going to first and foremost be enabling two factor authentication, followed by a secure AND unique password (never used elsewhere), random security questions and answers, and lastly a unique email address per site.

A good unique password always hinges on length. Longer is better. It needn't be crazy, but it's helpful to incorporate uppers, lowers, numbers, and special characters. Password managers can often do this for you automatically, as well as keeping track of each password for each site. LastPass was mentioned as one, but I would highly recommend against it. 1Password or Bitwarden are probably two of the better and more recommended ones. A good password might look like this: garden6CAT-tortila. Easy to remember, but not super easy to crack.

1Password can also store your multifactor "Google Authenticator" tokens, and keep track of random security questions and answers.

As for unique email addresses the functionality is built into Gmail and some other providers. If your Gmail address is bob123@gmail.com then you can make your DansDeals email bob123+dansdeals@gmail.com and it will still reach the inbox of bob123@gmail.com.

If you want to check if your email and/or password has ever been in a breach then check haveibeenpwned.com to see. More than likely it has. When testing password the guy who designed the site (Troy Hunt) made it so only part of your password is hashed and is tested against the breached password database.

Wouldn't it be a good idea to put the entire site under cloudflare firewall? Free and easy.

[CountValentine]

I should clarify. By locking them out I mean they would then have to reset their password. Not really a big deal. I have a CU that constantly locks me out.

[Yo ssi]

Stick to open source

??

[shlomoandtam]

The other concerning element of this attack is that it's an indication DDF is on the radar of scammers. It's going to make doing business/trades with newer members riskier IMO. (And the honesty / general lack of scams is one of the nicer elements of DDF).

very good point

[Alexsei]

??

!!

[S209]

AI is getting better at being able to recognize strange login patterns

And with nearly identical precision, AI is learning how to beat that algorithm.