Facebook Dodgy log in attempt

Forums › Off topic › Facebook Dodgy log in attempt

Geektastic

17943 posts

Uber Geek

Trusted

Lifetime subscriber

#214399 9-May-2017 18:54

Had an email from FB (which I only really use for work and even then find largely pointless but that's not the point of the story!)

I assumed the email was a dodgy one as it claimed I needed to 'click the link to change my password due to a log in from an unusual place'. Yeah, right.

I logged direct to FB and got a page saying my account was temporarily locked because someone using Opera located in Morocco tried to log on, and was that me?

No. Not even slightly.

So new password.

Kudos to FB for being on the ball though.

1 | 2

20143 posts

Uber Geek

#1778732 9-May-2017 20:20

Isn't its odd that facebook didn't email you too? When that happens with a google account, google emails you as well.

richms

28168 posts

Uber Geek

Trusted

Lifetime subscriber

#1778752 9-May-2017 20:48

mattwnz:

Isn't its odd that facebook didn't email you too? When that happens with a google account, google emails you as well.

He just said that they did email him?

Richard rich.ms

Geektastic

17943 posts

Uber Geek

Trusted

Lifetime subscriber

#1778795 9-May-2017 21:43

They did email me, as I said.

To be honest, the one success the scammers have had is to make every email from people like FB look like spam or phishing!

freitasm

BDFL - Memuneh
79263 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1778821 9-May-2017 22:08

Highly recommend folks visit HIBP and sign up for the breach notifications.

Password stuffing is real - people have the bad habit of reusing password so when bad folks buy lists of email/passwords they just go around trying login into websites to see if they hit a jackpot. We have a few hundred attempts daily on Geekzone from people with usernames that don't exist, like this one:

We can't simply block IP addresses because these vary wildly. We use ThisData analytics to see in real time what's happening. The service automatically send an email if a suspicious login happens - some of you may have seen the email asking if it was you. At the moment it's more of a heads up to people when suspicious activity happens in their account but soon we will be terminating sessions if something like this happens.

And there's a lot happening:

PS. This is another PAID service that costs us - hence the ads, subscriptions, etc... Another reason for those with adblockers to consider whitelisting Geekzone - a good service is not free.

Geektastic

17943 posts

Uber Geek

Trusted

Lifetime subscriber

#1778838 9-May-2017 22:45

That is quite worrying.

Given the sheer number of things people have to (well, OK, want to) subscribe to these days, it would be great if some really clever person could come up with a way to stop it. I can have iris scanning in my phone which is allegedly pretty hard to compromise: Can I have it in my desktop soon and can it then be used to unlock websites? Or something.

No one can realistically recall all the passwords and emails they have used and password things like 1Password help but do not always work well cross-platform etc.

freitasm

BDFL - Memuneh
79263 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1778841 9-May-2017 22:51

I have hundreds of passwords and they are all different. A couple of my emails appeared in the leaks but just a password change and it's all good again - if I had repeated the password it would be impossible to update everywhere.

Password managers help. Never late to start using them.

richms

28168 posts

Uber Geek

Trusted

Lifetime subscriber

#1778854 9-May-2017 23:59

lastpass works on chrome, firefox, android, apparantly IE and edge, not that I use those, and also apparantly iphone. Also not hard to copy/paste from a supported browser into any apps on the desktop like adobe creative cloud and spotify and the phone will autofill apps.

No excuse for non unique passwords.

Richard rich.ms

Tradepub

Free professional, reference and technical white papers (affiliate link).

mattwnz

20143 posts

Uber Geek

#1778856 10-May-2017 00:06

richms:

mattwnz:

Isn't its odd that facebook didn't email you too? When that happens with a google account, google emails you as well.

He just said that they did email him?

I misread that, as I thought it was a scam email that looked like a facebook email, as they said it had a link in it that they didn't want to click. Teh problem is that these legit websites themselves are using bad practice by emailing a link as well, which potentially could have been sent by a scammer. I get lots of bank ones, and some of them look very legitimate..

bigalow

566 posts

Ultimate Geek

#1778861 10-May-2017 02:10

how can you find out if someone has tried to login on facebook ?

cant find the page

BTR

1527 posts

Uber Geek

#1778908 10-May-2017 08:55

As well as using different good strength passwords for every I suggest if you have a firewall that has a geo filter use it unless you really like browsing nigeria's version of trademe.

MadEngineer

4271 posts

Uber Geek

Trusted

#1778911 10-May-2017 08:57

biggal:
how can you find out if someone has tried to login on facebook ?

cant find the page

2FA

Also it's no longer required to pay for access to the password dump - it's publically released and dehashed. I suggest downloading it and searching for email addresses for any domains that tou look after ensuring that those that inevitability show up are not using those passwords anywhere.

If anyone would like me to check for them, send me a pm followed by a confirmation email from the address you'd like checked and I'll provide you with a munged password if it's listed.

You're not on Atlantis anymore, Duncan Idaho.

Geektastic

17943 posts

Uber Geek

Trusted

Lifetime subscriber

#1778913 10-May-2017 09:00

Would it be possible (not my area of expertise, and I do not mean right now necessarily but soon) to have a website refuse a log in request from any device not unlocked using your biometrics?

MadEngineer

4271 posts

Uber Geek

Trusted

#1778920 10-May-2017 09:17

^2FA is being used more widely now where you confirm logins on new devices through a code sent by txt message or an app notification provided by push on your smartphone.

You're not on Atlantis anymore, Duncan Idaho.

Geektastic

17943 posts

Uber Geek

Trusted

Lifetime subscriber

#1778925 10-May-2017 09:23

MadEngineer: ^2FA is being used more widely now where you confirm logins on new devices through a code sent by txt message or an app notification provided by push on your smartphone.

Yes, but it is still not that smooth. For example to use it with iCloud, any app that you want to use with it (not an Apple one) requires you to go to iCloud, create a unique password for that app and then go back to the app and put it in etc ect.

If somehow a website could reliably know whether the device attempting to access it has been unlocked using biometrics, and deny access if not, that would be smoother. I am sure it is technically difficult but then again when I was only 18, the internet was something that only Star Trek could have...!

MadEngineer

4271 posts

Uber Geek

Trusted

#1778931 10-May-2017 09:31

That's a solution called "app-specific passwords" for outdated apps/services that don't support 2FA

You're not on Atlantis anymore, Duncan Idaho.

1 | 2