trekcc.org

Just checked on my AVG protection software and it is flagging up TrekCC as having had a password leak date 10th December 2020. Any comment on this?

Does it provide any other details?

I can tell you that your password isn't stored, so that can't have leaked. What's stored is an encrypted hash generated based on your password. And no, that can't be used to login to the site.

I was waiting for someone to debunk / explain this. (Trust, but verify.) It is a serious statement; and without closure, it looks... ugly.
I have my own ideas but no way to check them.
Any news?

I haven't found any evidence of a breach yet. There's a hacker group that went defunct recently and their collection of data was publicized. That included a database leak from years ago.

https://www.trekcc.org/articles/index.p ... cleID=2212

All of those passwords were reset on March 3rd, 2018.

I do remember that one. Weird, this.

I visited this site on my iPhone just now and my phone warned my the trekcc had appeared on a list of sites where passwords had been compromised and advised me to change my password immediately.

I did so, but wanted to give a heads up to others. Has anyone else gotten this message or heard anything similar???

This is exactly the message I got:

https://macreports.com/this-password-ha ... on-iphone/

Thanks for putting it out in the open.

Is macreports.com a trusted site, and/or associated with Macintosh/Apple? I'm more of an IBM person, and I know that, say, Microsoft has registered and uses many trusted domain names (why!?); but as someone who lost his Comp Skill behind in 2014, I am forced to look at security on, e.g., the URL level.
So, my question... have you got plausible intel from that site before, is it a trusted platform for iDevices?

If so, next question: does this concern the 1 or 2 year old security leak that has been known for some time already (and was patched)?

@Takket
I've merged your thread with this one. I've checked again, and these warnings still seem to be based on the same info I posted above.

Thanks (again), both. I hoped it was so!

Is there something we need to do to get off the naughty lists? After all, my understanding is that we did a complete password reset back then.

AllenGould wrote: ↑Tue Feb 02, 2021 12:41 pm Is there something we need to do to get off the naughty lists? After all, my understanding is that we did a complete password reset back then.

Near as I can tell, these are all "low-effort" systems. By that I mean, it's just a bunch of automated systems scraping known vectors and databases. So when something like an old database pops into a feed as "new", these systems just pick it up and run with it.

But I'll put this reminder out there:
Your passwords are best treated like diapers: change them often.

If you've got a slew of passwords that you like to re-use, you should figure that at some point, hackers will try every one of them to login to all of your accounts. So none of your accounts anywhere should ever use the same password that you have ever used anywhere else.

I can't recommend a password manager enough. I use LastPass and it's amazing. It lets you get strong, random passwords for every site/app you use, and then only requires you to remember one strong password.

MidnightLich wrote: ↑Wed Feb 03, 2021 11:36 am I can't recommend a password manager enough. I use LastPass and it's amazing. It lets you get strong, random passwords for every site/app you use, and then only requires you to remember one strong password.

If you're in the Google ecosystem, their password manager is pretty much baked-in to Chrome, and I've been pretty happy with it. About as low-effort as you can get.

As a LastPass user and IT professional, I have to agree. For most people, password managers are the best available solution to an impossibly hard problem.

Of course, make very sure that your LastPass account is both (1) secured all to hell, and (2) that you remember your very long and complicated LastPass passphrase until the sun goes out. But it beats the heck out of having to worry about your bank account being compromised because some Syrian script kiddie broke into the database of a My Little Pony forum you registered for ten years ago and forgot about.

EDIT: ha ha, until the article reminded me, I forgot about white-hat cracking all those passwords to see how bad the damage was. I still have a list of all those (old, bad, long since reset passwords) around here somewhere.

Years later, I'm able to say it was fun seeing how different our "most common passwords" are from the generic most common passwords. On most websites, the most common passwords are some combination of:

password
123456
12345678
trustno1
qwerty
letmein

On OUR website, the most common passwords were:

startrek (11 users)
123456
password
starwars
12345678
Babylon5
ncc1701
qwerty
letmein
heymyhs
ncc1701d
11001001
ncc1701e (4 users)

You lovable nerds. (Mine was a Star Trek reference, too, before I got on to LastPass.) I believe these passwords are all illegal now under our current password policy -- which is probably for the best.