Allegro.cc - Online Community

Allegro.cc Forums » Allegro.cc Comments » TINS breach

This thread is locked; no one can reply to it. rss feed Print
TINS breach
Chris Katko
Member #1,881
January 2002
avatar

So did anyone know/realize that TINS accounts were breached and leaked online?

{"name":"612848","src":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/b\/8\/b8adb037021fa62ea11c7972d899ab97.png","w":593,"h":112,"tn":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/b\/8\/b8adb037021fa62ea11c7972d899ab97"}612848

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

amarillion
Member #940
January 2001
avatar

Passwords in the TINS database are hashed and salted. There is no cleartext. Therefore a breach is unlikely.

Of course I can't be sure that I prevented every possible attack. Where did you see this? Please show me some more information so I can investigate.

--
Martijn van Iersel | My Blog | Sin & Cos | Food Chain Farm | Support TINS

Matthew Leverton
Supreme Loser
January 1999
avatar

I assume it's saying his password from TINS was found in a data dump. If it's a unique, random password, then it's unlikely that it came from elsewhere.

I just act as if all passwords on all sites are in the public domain, and I rotate ones I care about and/or enable TFA. And every password of mine is completely randomly generated.

amarillion
Member #940
January 2001
avatar

I really do want to know more about this. I could check my own password for example.

--
Martijn van Iersel | My Blog | Sin & Cos | Food Chain Farm | Support TINS

Chris Katko
Member #1,881
January 2002
avatar

It showed in my Chrome (google checks against known breaches).

You can also check if your e-mails (or all e-mails in your database) show up as flagged in haveibeenpwned.com

I don't believe Google tells you the specific breach. It is possible that it's not breached, like Matt said, and a common e-mail and password were stored in chrome, that then flagged. As in, anywhere I used my e-mail and that password, would show up in that Chrome warning menu.

If it's a unique, random password

I doubt it's unique though I don't remember it.

But Matthew is probably right. I used to use passwords common to multiple websites before you know... everyone got hack crazy.

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

amarillion
Member #940
January 2001
avatar

Ok, I checked a few email addresses in the TINS database against haveibeenpwned.com. Some of them are green, some of them are red. It doesn't look like the whole site was breached. It looks like indeed that this is just a re-used password.

At this point I won't take additional security precautions, unless somebody feels strongly otherwise.

--
Martijn van Iersel | My Blog | Sin & Cos | Food Chain Farm | Support TINS

Elias
Member #358
May 2000

If I go to passwords.google.com it lists both allegro.cc and amarillion.org under "reused passwords" :P

--
"Either help out or stop whining" - Evert

bamccaig
Member #7,536
July 2006
avatar

{"name":"612855","src":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/1\/0\/10d4e39672f2daf65940fac7f5d84d51.png","w":952,"h":412,"tn":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/1\/0\/10d4e39672f2daf65940fac7f5d84d51"}612855

Coincidentally I finally got around to cleaning up saved passwords in Firefox and Chrome, and moved them all over to LastPass instead. Then using LastPass I generated new, long, complex passwords for all the things, one-by-one.

LastPass's code to automatically generate new passphrases for known services appears to be broken for years now (according to threads I found online anyway). I started around 11 AM and didn't finish until like 4 AM (with undefined breaks and distractions in between). :P Which is why I had put it off so long.

I've only been using a [cloud/mobile] password manager for about a year now. And I only finally switched fully to it literally today. In theory, I'm reasonably safe now. In practice, you only have to break one passphrase (well, and 2fa1.7n) to get everything that I have.

The passwords that are duplicated are for cross-platform apps that require me to type in a password to log in from the TV or game console or what have you. I didn't want to have to try to type a 48 character password by glancing at my phone (which sleeps every few seconds, requiring my fingerprint to unlock, and I think even LastPass locks in that case again). So I came up with a reasonably secure passphrase that is sufficiently random and complex that I can easily remember, and that my wife will be able to type if necessary. It's shared to make it easy because the worst thing is when you're uncertain which passphrase you used... And for the things I'm using it for I can just call the company and yell at them if my account ever gets hijacked (and if they're utilizing services I'm paying for and not using then I guess who cares).

Unfortunately, now if LastPass goes down (or I get amnesia or otherwise permanent memory loss) I'm fucked. :P

Go to: