My account is being hacked?

[DDT]

I have received this email 4 times today. It seems the hacker is a forum member, HPIB.

[tooki]

...or someone on the same ISP, since many ISPs recycle IP addresses among customers.

[ebastler]

... or someone who has already hacked into HPIB's account successfully, causing their IP address to be associated with the HPIB account.

HPIB has only posted here three times, in quick succession, in late August/early September of 2019. Now the forum stats show him as recently active. Of course that may be real; he might have switched to reading only a long time ago, or may be back after a long break. But taken together with your warning messages, a hacked account seems somewhat likely.

I'll report my own post (if I can do that?), so the mods can look into it.

[EEVblog]

I can't see anything wrong with HPIB's account or associated IP tracking, and both of you use different ISP's in different countries. So 

[golden_labels]

EEVblog:
Failed login attempts aside, Dave: privacy! That email leaks IP addresses of other forum members. If this is configurable or some forum plugin, perhaps disabling it would be a good idea?

DDT:
👍 for reporting this and asking for advice on the forum. Just to make sure you will not make any mistakes: do not click any links in such emails. The emails themselves may be an attack attempt.

As tooki has mentioned, this may be a recycled addres. Or, even more likely, a network that uses NAT. Note that it’s a network that has merely 8k addresses to distribute. It’s quite possible the tens of people may be sharing that one.

[grumpydoc]

The emails themselves may be an attack attempt.

Agree - the first question is "does this email actually come from eevblog"

Do you use an email client which allows you to view the headers?

The last legit failed login message I had (in fact me, forgetting my password) originated from cpanel1.eevblog.com

[Jeroen3]

EEVblog:
Failed login attempts aside, Dave: privacy! That email leaks IP addresses of other forum members. If this is configurable or some forum plugin, perhaps disabling it would be a good idea?

I read about this thing on some other forum and the general story was that is wasn't leaking the IP since you could assume the IP address belonged to the addressed. The name of the forum member though, that is different.

[magic]

Yes, it tells you about other users connecting from the same IP. Not sure over what timespan

It could possibly even be illegal in the EU, but... Australia

[golden_labels]

I read about this thing on some other forum and the general story was that is wasn't leaking the IP since you could assume the IP address belonged to the addressed. The name of the forum member though, that is different.

Unless DDT is HPIB and is trying to break into their own account, this is not what happens here. What has been leaked is an address-username pair of another user. In this case DDT learned what address HPIB is known to be using.

But even if DDT would now be using that address, the reasoning on that other forum⁽¹⁾ is invalid. The most important part: there is no way software sending email would know what IP address the recipient is using at the moment, so it’s still a leaky solution even if in a particular case no data was leaked. And even if that would be somehow verified, the address is likely to be shared/reused — but the reasoning seems to assume that the mapping is unique at all times.
____
⁽¹⁾ As reported by you. I don’t know the source.

[magic]

Yes, it tells you about other users connecting from the same IP. Not sure over what timespan

No, hell no, it tells you what other users used the forum (over some unspecified timespan) from the same IP which attempted the failed login.

If you didn't fail a login attempt, this is not your IP address and never was. The forum doesn't even try to send this email to the IP address displayed in the email. This is an "FYI" list of users who may be suspected of having attempted the failed login. Or it could have been someone else from the same ISP. Sorry for the misinformation yesterday.

[Halcyon]

Many internet providers and most cellular network providers these days use carrier grade NAT (CG-NAT) on their IPv4 address space. This means that you could be sharing an IP address between multiple users. There just isn't enough IPv4 addresses to go around so that everyone has their own unique address (even if it's dynamically assigned).

[paul]

I had two of these failed login attempt emails yesterday, except I had a long list of over 90 names with the same ip address.


  Hello paul,
  We have detected a failed login attempt on your account.

  Matched forum members with same ip address:

Snip,  its a long list

  IP address of the failed login attempt: 178.159.37.139

Anything to worry about ?

[Ysjoelfir]

No, as Halcyon already explained, it is nothing to worry about.

[gorge441]

I guess,
1. It is happening for share IP i mean share bandwidth.
2. Someone knows your password and i suggest you to change your password as soon as possible.


Thanks- GG

[ebastler]

IP address of the failed login attempt: 178.159.37.139
Anything to worry about ?

No, as Halcyon already explained, it is nothing to worry about.

But then, that IP address is in the Ucraine and shows up on various spam and IP abuse blacklists, according to Google. Hmm...

[tom66]

Surely to get a failed login attempt you need to enter someone's username and the wrong password.  So it is something to worry about, someone is bruteforcing or trying common passwords?

[Ysjoelfir]

But then, that IP address is in the Ucraine and shows up on various spam and IP abuse blacklists, according to Google. Hmm...

when you visit the AustNet IRC channel you have that happen very often to you - I don't want to count how often I got the message that my IP is on some ban list....
I think it's pretty common nowadays to get find the IP you have today been used by someone malicious...

[pidcon]

Go to your email reader and use "View Source" or some similar option to see what really is in the email message. Perhaps, Dave could possibly send a test message from EEVBlog.com for you to compare.

[ebastler]

@pidcon: I don't think anybody is questioning the authenticity of the email. The question is whether it suggests a serious attempt to hack into the account, and what it means that so many forum user accounts seem to be associated with the same IP address.

The latter could either be due to the fact that many users have in fact connected to the forum via that IP address. (Since it is an address used by an internet provider, and assigned to varying users when they connect.) That would be the harmless scenario. But it could also mean that an attacker has already successfully hacked into those 90 other accounts, and that's why they are associated with this IP.

@paul: I would suggest checking a few of the forum accounts which were mentioned in the email, to see whether they are actually based in the Ukraine (where the IP address is) or nearby. If they are in very different regions, so that it is implausible that all those users connected via an internet provider in the Ukraine at some point, then I would think there is reason for concern. (Mainly for all those other users, whose accounts may have been compromised.)

[paul]

Just for a test I logged in with the wrong password, this resulted in two Failed Login Attempt emails. So this is how the system works and the emails are genuine. Interestingly though, although I am connected via my phone, no other users are listed with same ip address.

I checked the accounts of some of the user names on the list and, no they are not from Ukraine or the same region, also all the users I checked have a Position of ZeroPoster with a post count of 0, surprisingly and Date Registered of 2020-3-12. As most of the names look like keyboard mashing of random letters I am presuming these are fake accounts, there are some real names in the list but these are also ZeroPoster and a similar registration date.

I dont think these are compromised accounts as they have never made any posts, this is all a bit odd.

[paul]

I checked again the first few names on the list of “IP address of the failed login attempt: 178.159.37.139”
There are over 90 users on this list but I think after checking the first 11 there is a pattern appearing

Position     Date Registered    Posts      
ZeroPoster   2020-03-12   0   Redmond WA USA   March 12, 2020, 02:25:51 pm
ZeroPoster   2020-03-12   0   Hollyoaks, england   March 12, 2020, 02:25:56 pm
ZeroPoster   2020-03-12   0   La Spezia, SP      March 12, 2020, 03:03:43 pm
ZeroPoster   2020-03-12   0   Worldwide         March 12, 2020, 05:49:53 pm
ZeroPoster   2020-03-12   0   Chucktown IL      March 12, 2020, 09:12:20 pm
ZeroPoster   2020-03-12   0   Dunkerton, Iowa      March 12, 2020, 09:33:15 pm
ZeroPoster   2020-03-12   0   Hattiesburg, MS      March 12, 2020, 10:27:18 pm
ZeroPoster   2020-03-12   0   Washington NC      March 12, 2020, 10:53:17 pm
ZeroPoster   2020-03-12   0   Vienna,Austria      March 12, 2020, 11:34:21 pm
ZeroPoster   2020-03-13   0   York UK         March 13, 2020, 05:43:38 am
ZeroPoster   2020-03-13   0   Upper Montclair, NJ   March 13, 2020, 07:24:49 am

I have not included the names (not sure if there are rules about that) most are just random letters and a few are real names.  All I can say is someone was busy on the 12th and 13th of March, but to what end ?
Any ideas why so many accounts with random names would be setup and not used ?
 

[ebastler]

Hmm, strange indeed. Creating so many accounts (and accounts with non-plausible usernames!) just in preparation for spamming the forum with advertising links does not seem like a realistic scenario.

If someone had access to the encrypted password information on the forum server, creating many dummy accounts might be part of a "known plaintext attack", trying to figure out the encryption (or hashing) algorithm and key for the passwords?

Anyway, it's probably a good idea for Dave & team to remove all the accounts registered from that IP address, and to block the IP address from future use. I'll report my own post here to make sure this gets spotted.

[EEVblog]

I checked again the first few names on the list of “IP address of the failed login attempt: 178.159.37.139”
There are over 90 users on this list but I think after checking the first 11 there is a pattern appearing

Yep, have banned that IP. No active users but a lot of spam accounts.
Thanks.

[Halcyon]

I checked again the first few names on the list of “IP address of the failed login attempt: 178.159.37.139”
There are over 90 users on this list but I think after checking the first 11 there is a pattern appearing

Yep, have banned that IP. No active users but a lot of spam accounts.
Thanks.

I don't know if the forum software has a capability, but can there be an automatic deletion on zero poster accounts that are over x weeks/months old?

[EEVblog]

I checked again the first few names on the list of “IP address of the failed login attempt: 178.159.37.139”
There are over 90 users on this list but I think after checking the first 11 there is a pattern appearing

Yep, have banned that IP. No active users but a lot of spam accounts.
Thanks.

I don't know if the forum software has a capability, but can there be an automatic deletion on zero poster accounts that are over x weeks/months old?

Not automatic, but I manually do this every couple of weeks. Just the other day there was 4000+ registrations waiting approval, all spam of course. I just bulk delete one older than say 3 days, giving new users caught in the spam trap time to email me.