Slashdot Mirror
Millions of Gmail, Yahoo, Hotmail Email Accounts Being Traded in Russian Underworld (reuters.com)
Eric Auchard, reporting for Reuters (edited and condensed): Hundreds of millions of hacked usernames and passwords for email accounts and other websites are being traded in Russia's criminal underworld, a security expert told Reuters. The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia's most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users (Editor's note: the numbers are: 57M Mail.ru, 24M Google, 40M Yahoo, and 33M Hotmail), said Alex Holden, founder and chief information security officer of Hold Security. [...] The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totaling 1.17 billion records.Amir Efrati, a reporter with The Information, asks: "Industry seems to be failing at convince email users to do 2-step verification. Why not require it?"
All of them should follow Edward Snowden's example and start using end-to-end encryption on all their email.
But seriously, we all know the Clinton's and the RNC ran their own servers to ensure that reliable backups were simply not available when subpoenaed.
But seriously seriously, end-to-end encryption on all your email, regardless of the servers involved.
No guarantee. A lot can be obtained from third-party sites, to which people login using their existing accounts. It is not only Slashdot, which allows you to login with your Yahoo! or Facebook credentials...
When you use this method on a web-site, you get a notice, that you authorize the site to "access your contacts" and some other information. This is easy for the sites to set up and they like it because they want to encourage people to comment — it increases "pageviews". The site itself may not be abusing this access (some operators may not even realize, they have it).
Unfortunately, not all sites are good at guarding it — this is how your entire Yahoo! addressbook, for example, may end up in the criminals' possession without them ever actually accessing your mailbox. Having such addressbooks, spammers can (and do!) generate customized spam in which you appear to be the sender for each of your contacts and which opens with the salutation you used to identify the contact. Such spams, obviously, have a far higher chances of being read by the victims — and the links in them are much more likely to be clicked.
In Soviet Washington the swamp drains you.
2FA is great unless the company happily agrees to turn it off when a hacker kindly asks them to via web chat or twitter DM: http://www.csoonline.com/artic...
If someone can CALL or CHAT or DM and ask them to turn off 2FA, then the process is broken, the security is an illusion and using 2FA is worthless.
Sig for hire.