Lessons I'm back; experience of a hacked account

[Dan]

Beside making the password unique and complex, how about enabling Email Confirmation in “Two-Factor Verification”?

It's a bit of PIA, but I hope it would deter some hackers.

 

[drrich2]

Did you figure out who it was that hacked the SB account? Do you know the email address he used when he took the SB account over?

I don't know who, but the system did shoot me an e-mail at my real address telling me the password had been changed. Here's part of that:

"Your email at ScubaBoard was recently changed to seqecyxa@thichanthit.com. If you made this change, you may ignore this message.

If you did not request this change, please log in and change your password and email address. If you are unable to do this, please contact an administrator.

Your email was changed by the IP 181.215.176.103."

 

[Dan]

I don't know who, but the system did shoot me an e-mail at my real address telling me the password had been changed. Here's part of that:

"Your email at ScubaBoard was recently changed to seqecyxa@thichanthit.com. If you made this change, you may ignore this message.

If you did not request this change, please log in and change your password and email address. If you are unable to do this, please contact an administrator.

Your email was changed by the IP 181.215.176.103."

The problem with this is by the time you read the notice, you can’t login to your SB account anymore and the damage is done, i.e., that “too good to be true” BCD could be sold to an unsuspecting buyer by the time the administrator did something about it.

 

[Dan]

Hmmm. That has some interesting possibilities, but every active moderator would have to set the "Keyword Alerts" individually. Any innocent use of a particular word might trigger so many Alerts (like the upper right corner "Alerts" that it could be overwhelming.

You (meaning all our members) is our first line of defense. You sniffed this impostor our before Staff could brew our first cup in the morning. Using the Report function is great but fleshing a suspicious poster out when something doesn't smell right is even faster.

I'm not suggesting that you accuse someone at the first hint, especially since you could be mistaken, but there is nothing wrong with pointing out that using an unprotected payment method has been used in scams before.

If I did as shown below, would I be alerted to my email for any “For Sale” posts in SB and for any thread title with “For Sale” on the title?

What the “Keyword Set” entry is for?

 

[kelemvor]

It wasn't anything guessable. Had to be one of those 'data leaks' we hear about. IIRC (since my computer and phone logged me on automatically so I didn't have to enter it often), this was an old password I'd used in other places, and had for a long time. Most of my other site passwords had gotten changed over time, as some sites have demanded more complex passwords, etc...

My employer (Verizon) sprung for "Allstate Identity Protection" for employees. It's very comprehensive. Unfortunately, maybe a bit too much so as they seem to notify me frequently about my credentials being found somewhere or some other problem. I'm still pretty new to using the service. A week or so ago I got notified about a hack on the local parking app (where you pay for parking spots at the local beach). Apparently my credentials were included in the hack and subsequently turned up somewhere.

On the other hand, if Allstate ever gets hacked I bet I'm totally screwed. Since my employer is covering it, I don't really know what the cost is but they appear to have a free trial.

Allstate Identity Protection | Live Your Best Life Online

Edit: here's what the dashboard looks like. Kind of shocking what's "out there" on me.

 

[Hoag]

FWIW, I use a Password Manager app called "1Password". With it, I can make passwords as complicated and as random as I want and I only have to remember two passwords, the one to log into my computer and the one to access 1Password. After that, the app handles everything. (Just whatever you do, don't forget your password for 1Password or you are toast!)

There is a theory (and I don't know enough about IT security to know if it is true or not) that says every password less than 13 characters has been hacked, so if you want a secure password, it needs to be 13+ characters.

 

[letterboy]

If I did as shown below, would I be alerted to my email for any “For Sale” posts in SB and for any thread title with “For Sale” on the title?

What the “Keyword Set” entry is for?

View attachment 656886

IMHO this sounds like a laborious work around for something there should be a quick way to email/message the board admins. The amount of time spent trying to understand this function is not going to be spent by a regular user.

Even something like was mentioned upthread, once an email address is changed no items can be listed as sold for a week would be a good fix. I am sure there are software limitations on here too.

Mayhaps some of us spending time on xenforo forums to learn more about the features and functionality of the software would enable us to provide useful input...

 

[Marie13]

I find using the computer generated password function on my MacBook is the best option.

 

[Storker]

However, if I am locked out and unable to post or PM anyone on the board and suspect a foul play, what should be the the next step?

Try an email to support@scubaboard.com

 

[Akimbo]

However, if I am locked out and unable to post or PM anyone on the board and suspect a foul play, what should be the the next step?

Good point. You can use Contact Us, which pops this dialog box when you are logged out:

I believe that it is monitored by @The Chairman.