Thread: Account hack?

So I just got an email saying someone tried to log into my account 5 times unsuccessfully... Any one else have this?

Can't say I've had any problems. I know there were some problems a few months ago with hackers.

I've had the same notice a few months ago, nothing came of it though.

For as long as we use screen names, which are publicly available, plus password for authentication there is no way to prevent brute force attacks like these where the attackers are essentially trying to guess the password on the account.

As security measure we block them after five unsuccessful attempts and send notification to the email on the account. Most forums and other sites would either not detect such attempts or not notify the account holder, but in my opinion that only decreases their security at the expense of keeping their members in the dark.
For example, the attackers are targeting accounts that have not been used for a while, clearly hoping to remain undetected, so our notifications are doing exactly what they are trying to avoid.

As long as you use a moderately secure password (i.e. not on the lists of the most commonly used passwords or your screen name) there should be no problem.

Um, pardon my continued ignorance on all things related to the internets, but what the hell would be the benefit of hacking in as a regular member? I realize if someone hacked Gugi's account they could do some damage to the site but if someone hacked into an average account like mine, all the harm they could do maybe would be to post something more intelligent than I might post.

I think most of these are just large scale generic attacks without specific targeting.

A couple of months ago one was successful (I guess that member's password was really weak) and they sent a bunch of PM spam from his account. (I could certainly minimize these by throttling the PM sending rate like some forums do, but I don't think it's worth it - I have been annoyed by that in the past and I know it would make some important things like coordinating group activities over PM frustrating).
I very much doubt that anybody from the spam PM recipients ordered that junk, so it's really a waste of time&effort for the attacker, but it is a numbers game. You program the attack once which is the most expertise intensive part and then simply run it on anything you can which is cheap. Unlike ours most online forums have very poor technical support, so you're bound to end up with a good number of successes. You are multiplying by the extremely low rate of effectiveness of the spam, so you need big numbers on the attack being successful.

Plus at the end you also have a database of screenname/email address and weak password pairs which is pretty valuable. You've identified people with very poor online skills and some non-negligible fraction of them are bound to be reusing the same screenname/email and password on more important websites.

In any case there are only few entities who are actively working against SRP and only a handful of them would do something like this with the idea to inflict damage on SRP (e.g. by undermining members' trust). But if any of them tries it and I find out they'll be in really hot waters - I will not hesitate to expose them and take legal action.