sp5it stolen/hijacked account now resolved

This is real sp5it account owner. That account was stolen/hacked.
I’m not responsible for anything happened during last 2 weeks.
Just recovered that account with help of site admin.
Mike

5 Thanks

“You” almost got me :smiley:

How can we be certain it’s really you now? :stuck_out_tongue_winking_eye:

Interestingly it’s not the first time recently. Do you know how they got the password? Was there a social engineering attack in the flashlight community or just a good old “used password somewhere else and it got leaked”?

2 Thanks

That was my question as well, but he sent me some convincing proof. :wink:

So this is a good time to remind everybody that even if BLF is “just” a flashlight forum it’s still important to use a unique and strong password, because it’s almost certain that some other website you registered on with the same username/email and password has leaked that password to the World Wild Web (WWW) at some point.

4 Thanks

Unique password for every login + some trustworthy password manager to, well, manage them is the only way.

2FA/auth keys wherever possible.

1 Thank

I’ve said it before, but it’s worth repeating once in a while:

correct horse battery staple

… and some sort of password vault to remember everything for you, so you can easily have different passwords and other data on every site. Ideally, a different email and password for every site, and 2FA using a local TOTP/HOTP app or something. But at minimum, a different strong password for every site.

That way, at least when an account gets compromised, it’s only that account. The damage is limited in scope.

5 Thanks

So how did your account get stolen, were the credentials stolen from you or from the BLF server.

1 Thank

The credentials were not stolen from BLF.

There are massive databases online of username/email + password combinations from other sites that were hacked or improperly allowed access to their password records. Hackers often try those same username/email + password combinations on other websites, and they often work because the user registered there with the same combination that another site leaked. Or sometimes they just try with really common/simple passwords.

Another possibility is somehow tricking the user into revealing their password or clicking on a link that installs malware to log their keyboard input.

2 Thanks

fwiw, last year both my Verizon and ATT cellular accounts notified me of a security breach that compromised their passwords.

They gave me a year of free credit monitoring… Nothing bad happened… I just created new passwords (yes different for each account) and all has been well.

glad Mike’s account is recovered and secured again…