Your data is stored in what we call databases. They’re similar to Excel sheets, with one sheet holding for example login data, another holding your comments, etc. Today, any web developer worth their salt will implement steps to help protect your data from unauthorized eyes – even themselves. That means your login info ought to be encrypted, salted, and hashed. I couldn’t tell you much more about what this means exactly but essentially, it makes it so even if someone gets access to the database that holds your password, they’ll just see a jumbled mess of letters that may take years to decrypt.

That means if your login info is “AnimeFan111”, email is “animeiskewl@gmail.com” and password is “Hunter2”, they’ll just see stuff like “asddgjb21312nvsj” instead.

You yourself are not very interesting to hackers.

What’s interesting is getting access to thousands of logins at once, and you may very well be on it.

The way hackers operate today is by getting access to these databases through some vulnerability. That’s why it’s important to keep your site up to date if you use any databases or PHP. I made a post on this community about Albion Online forums (not the website nor the game, just the forums!) being hacked. They’ve since patched the vulnerability but, too little too late.

Don’t assume only high-profile websites will be hacked!

The more interesting websites to hack are those with little security, that won’t even notice they were hacked. What matters is getting the dump so that you can then access the actual payload sites (Amazon, Google, etc).

Once the hacker has access to the database, they just need to download it (probably to an actual Excel file). They now have thousands upon thousands of logins ready to go, albeit encrypted.

I mentioned that decryption can take years. It can also take mere hours if the hackers have enough computer power and if the encryption standard is low, or your password is not particularly secure. It also depends what info exactly is encrypted. If it’s just the passwords, then they still have access to your email.

What makes a password secure?

Prefer length over complexity. A character is encoded on a bit, and the more bits you have to decrypt, the longer it will take. Instead of complex characters like +/* interwoven with numbers, try a very long sentence that you can remember.

This information is worth some money, and it will be sold on the web. You can buy, for 50 bucks, a dump of tens of thousands of encrypted login data, or even credit card data. Decrypted info is worth much more obviously. Moreover, this means it’s not just the one lone hacker working at decrypting your password. It’s a team of buyers, and sometimes teams of hackers all together.

Once you know your info has been leaked, assume that it’s been decrypted. This is how haveibeenpwned.com knows that your email appears in “dumps”, a term to describe the file of thousands of logins I mentioned earlier. You can even access some of these dumps in plain text on the clear web, and it’s quite a shock to see your password next to your email in plain text for the world to see.

Once that info is in clear text and decrypted, it can be resold or used. It’s really simple: the latter is a much bigger crime than the former (and much more high-profile), so usually the group that leaked your data just sells it and stops there. Other people, potentially dozens, will then buy that dump and try it out.

At this point, they would be better off using automated programs to try your logins on hundreds of websites. It doesn’t matter which, it just matters that they can find something more substantial. The point of hacking the Albion Online forums (not even the game, the two are separate) was not to steal gold coins on the accounts, it was to resell that data for a quick buck. And the point of buying Albion Online logins was, again, not to steal your characters, but to find your credit card info on other, more secure websites.

Where do you have your credit card info registered? On Amazon, GOG, Steam, maybe even your local pharmacy that opened up an online shop. With the logins in hand, I can make a program (or buy one) that automatically tries out the combinations on websites, one after the other. If I get access to your Amazon account, I can get stuff delivered to a PO box or a pick-up location. If I get access to your Steam account, and you’ve linked your paypal account, I can see which email you use on Paypal and possibly compare that to my other dumps. To be honest these hackers are more interested in quick gains, they have thousands of logins to check on thousands of websites, they don’t have time to be tracking down your logins.

After that, your credit card info travels in two ways. Either the hackers use it themselves, or they put it in a dump and resell it (50 bucks for a few hundred numbers). Again because one is a worse crime than the other.

Let’s recap the process. A random website you haven’t used for several years and didn’t even remember (looking at you Albion) announces they were hacked. The hackers made out with thousands of hashed login info. They decrypt what they can, and sell that on the web. Buyers use those files to try and connect to your accounts on other websites where there is juicier info, like Amazon, Paypal, Google. They extract your credit card information if they can, put that in a dump of their own, and sell it. Then a third buyer purchases your credit card number, and they are free to use it any way they want.

If you’ve been hacked like this, look up irregular transactions on your banking software.

Criminals will also sometimes make a small purchase of 1 or 2 dollars with your credit card to confirm that it works, before moving on to the really dangerous sums.

Typically, credit card info on any serious website will be secured differently. I’m not sure exactly what developers do, but typically even if you get access to the account the legit way (logging in), you can’t just get the credit card info in plain text. IF the website is doing things properly. That’s also why I don’t recommend saving your payment info on websites but it’s not entirely safe either. It’s safe from this type of access, but it’s not safe from a man-in-the-middle attack, for example. Whenever you use your credit card to buy something online, that transaction has to be transit and be stored somewhere.

So what can you do?

If you know you’re going to be using a service sparingly, consider registering it to a burner email with a randomly-generated password. Since we have so many logins to remember these days, I recommend using the password manager of your choice (but contrary to popular belief, open-source software is actually more secure, so opt for that).

Enable two-factor authentication whenever possible (2FA). This will send a code to your email or phone that you need to input to finalize logging in.

And don’t assume your data is safe just because there’s a lot of security or, conversely, because you’re using an obscure website. As we’ve seen what’s interesting is getting that data for resale and to get more juicy info down the line. Even a website like Lemmygrad (though most people probably don’t have an email attached) can be hacked for this reason.

  • @chad1234
    link
    23 years ago

    there have been instances where the password was stored in plain text on the database