Reusing passwords, possibly a NZ data breach and latest activities on Geekzone

Forums › Off topic › Reusing passwords, possibly a NZ data breach and latest activities on Geekzone

1 | 2 | 3

4591 posts

Uber Geek
+1 received by user: 2570

Trusted

#3411031 4-Sep-2025 11:13

freitasm:

Ragnor:

freitasm:

As a reminder, every time you login we check for password leaks. If you user credentials (username or email + password) is found to be leaked somewhere else you will see a page asking you to reset your password via email.

Are you using the Cloudflare leaked credentials detection for this? I was looking at using this for one of our domains.

Also obligatory check/register your email address in https://haveibeenpwned.com/ folks

It is a two way approach. I use both the Cloudflare detection and the haveibeenpned password APi. This check happens on login only.

This should be a feature added to any website dealing with client logins imho. I’d be interested to know if anyone has implemented this outside of cloudfare hosted sites.

You're not on Atlantis anymore, Duncan Idaho.

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41038

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3411033 4-Sep-2025 11:19

MadEngineer:

freitasm:

Ragnor:

freitasm:

As a reminder, every time you login we check for password leaks. If you user credentials (username or email + password) is found to be leaked somewhere else you will see a page asking you to reset your password via email.

Are you using the Cloudflare leaked credentials detection for this? I was looking at using this for one of our domains.

Also obligatory check/register your email address in https://haveibeenpwned.com/ folks

It is a two way approach. I use both the Cloudflare detection and the haveibeenpned password APi. This check happens on login only.

This should be a feature added to any website dealing with client logins imho. I’d be interested to know if anyone has implemented this outside of cloudfare hosted sites.

It doesn't have to use the Cloudflare feature. Just a function to check haveibeenpwned API as I did. I am just running both in case one misses a leak, but I'd say having a haveibeenpwned API function would be enough.

I'm sure Trade Me could spend 30 minutes of a dev to implement this.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Senecio

2853 posts

Uber Geek
+1 received by user: 3162

ID Verified

Lifetime subscriber

#3411034 4-Sep-2025 11:22

gehenna:

richms:

I love it when customers tell me that they know their password for our website is right because its the one that they use everywhere. They are normally the same ones that complain that we make them have 2 factor logins and its too much work to use the website.

I see you've met my father-in-law!

And mine!

fastbike

443 posts

Ultimate Geek
+1 received by user: 314

#3411058 4-Sep-2025 12:53

nztim:

You should only know the password to your password manager

And there is this

https://www.tomsguide.com/computing/online-security/major-flaw-in-top-password-managers-lets-hackers-steal-your-login-details-2fa-codes-credit-card-info-and-more

Otautahi Christchurch

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41038

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3411066 4-Sep-2025 13:01

I would take using a password manager any time, with random passwords than remembering a single password for all sites.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

richms

29098 posts

Uber Geek
+1 received by user: 10209

Trusted

Lifetime subscriber

#3411085 4-Sep-2025 14:09

The only things I do not store in the password manager are my main google accounts, I type those from memory and have u2f key 2 factor on them.

Otherwise its too easy to end in a circle of not being trusted where the password manager decides to 2 factor you thru email, but the email password is in the password manager.

Thankfully google do not seem to have a limit on the number of keys, and there was that deal a while ago that let you get up to 10 of them for really cheap - I think it was cloudflare that offered it.

So I have many spare keys around the place.

Richard rich.ms

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

1024kb

1197 posts

Uber Geek
+1 received by user: 519

ID Verified

Lifetime subscriber

#3411087 4-Sep-2025 14:16

It was a few years ago now, but the user of this password argued strenuously against me for quite some time.

I wanted to claim a new world record for discovering such a POS password that was actually in use in a live environment.

The password was for his email account. Maybe 2 weeks later he called me while under stress - he was on his way to a funeral & his son needed a document which he thought he'd emailed but hadn't gone through, could I please help? He hadn't changed his email password. The document? A bank authorisation for the transfer of $2m to his son. Straight up.

Oh, the anonymous person - he's a public figure that the majority of readers would know of.

Megabyte - so geek it megahertz

Handsomedan

7769 posts

Uber Geek
+1 received by user: 7402

ID Verified

Trusted

Subscriber

#3411092 4-Sep-2025 14:46

This was reassuring:

Handsome Dan Has Spoken.
Handsome Dan needs to stop adding three dots to every sentence...

Handsome Dan does not currently have a side hustle as the mascot for Yale

*Gladly accepting donations...

richms

29098 posts

Uber Geek
+1 received by user: 10209

Trusted

Lifetime subscriber

#3411094 4-Sep-2025 14:53

Are people really putting their passwords into random websites to "test" them?

Comment your credit card details and I'll check if it's been stolen for you : r/memes

Richard rich.ms

Handsomedan

7769 posts

Uber Geek
+1 received by user: 7402

ID Verified

Trusted

Subscriber

#3411096 4-Sep-2025 15:01

richms:

Are people really putting their passwords into random websites to "test" them?

Only the one I use for all the sites. I'd never put the one I use for "sites of interest" in...

Handsome Dan Has Spoken.
Handsome Dan needs to stop adding three dots to every sentence...

Handsome Dan does not currently have a side hustle as the mascot for Yale

*Gladly accepting donations...

Handsomedan

7769 posts

Uber Geek
+1 received by user: 7402

ID Verified

Trusted

Subscriber

#3411097 4-Sep-2025 15:03

richms:

Are people really putting their passwords into random websites to "test" them?

Also - the card checker doesn't work properly unless you put your CVV/CVC in. How are you possibly going to know if there's any fraudulent activity if you don't put in all the details?

Handsome Dan Has Spoken.
Handsome Dan needs to stop adding three dots to every sentence...

Handsome Dan does not currently have a side hustle as the mascot for Yale

*Gladly accepting donations...

AliExpress

Shop now on AliExpress (affiliate link).

richms

29098 posts

Uber Geek
+1 received by user: 10209

Trusted

Lifetime subscriber

#3411098 4-Sep-2025 15:04

Handsomedan:

Also - the card checker doesn't work properly unless you put your CVV/CVC in. How are you possibly going to know if there's any fraudulent activity if you don't put in all the details?

That was the first meme I found. Sorry. (Not Sorry)

Richard rich.ms

k1w1k1d

1712 posts

Uber Geek
+1 received by user: 1309

#3411273 4-Sep-2025 16:49

passwordpassword 34 thousand years.

Mypasswordispassword 16 quadrillion years.

Not sure I believe these?

cddt

1965 posts

Uber Geek
+1 received by user: 1904

#3412605 8-Sep-2025 14:59

freitasm:

My guess is that there is a fresh data breach somewhere (New Zealand?) and these Bad Actors™️ are targeting New Zealand sites to validate the accounts.

Based on a single anecdote, Sky Go is a candidate. Take that with a grain of salt.

My referral links: BigPipe | Mercury

MadEngineer

4591 posts

Uber Geek
+1 received by user: 2570

Trusted

#3412608 8-Sep-2025 15:15

I believe NZ is possibly being targeted in various phishing scams - I’m seeing multiple examples a week at the moment. The email accounts get taken over and used for further phishing expeditions to all the contacts. Accounts or logins mentioned in the emails being attacked via password resets to try and order goods or other means of financial gain.

If not targeted then just a lot of victims.

You're not on Atlantis anymore, Duncan Idaho.

1 | 2 | 3