WARNING: Compromised Accounts

[EEVblog]

There has been a recent spate of existing forum accounts being compromised by spam bots.
Presumably they had their details stolen and reused passwords?
So just a reminder to make your password unique and/or use the 2FA security feature.

[xrunner]

Yea I have seen a lot of them recently. Therefore I just set up 2FA here and the process was painless and worked. 

[KE5FX]

How does one brute-force a password?  Don't you lock the account out for X hours after Y unsuccessful attempts?

Usually, "brute forcing" a password involves a stolen password database file, potentially from some other site where the user with the same name used the same password.

[coppercone2]

the meat of our dead crew members is being turned into spammer-advertiser cyborgs

can the morgue be locked?

[MLXXXp]

and/or use the 2FA security feature.

Any chance support for FIDO hardware security keys for 2FA (Yubico, Google Titan, etc.) could be added?

[EEVblog]

How does one brute-force a password?  Don't you lock the account out for X hours after Y unsuccessful attempts?
Usually, "brute forcing" a password involves a stolen password database file, potentially from some other site where the user with the same name used the same password.

Yes, probably more likely to be the owner had their account compromised and shared a password.

[EEVblog]

and/or use the 2FA security feature.

Any chance support for FIDO hardware security keys for 2FA (Yubico, Google Titan, etc.) could be added?

If there is an SMF plugin that does that then I'm happy to install it, I use hardware keys myself. But last I looked there wasn't.

[coppercone2]

arent all these accounts long dormant?

[EEVblog]

arent all these accounts long dormant?

Haven't checked them all, but from what I've seen, not recent posters. But they were still active accounts with legit posts.

[CatalinaWOW]

Do you send notifications to those who have been compromised?

[Zoli]

I've checked(other forum, so is a widespread issue) some of the compromised e-mails: typically pawned in 10+ data breaches; add bad password hygiene in the mix, and you have the current situation.
Edit: since I've seen the spam posts(similar to the other location), I recommend to Dave, to use the forum censorship to change the *.site advertisement to something else(spam would be an idea).

[magic]

How does one brute-force a password?  Don't you lock the account out for X hours after Y unsuccessful attempts?

Usually, "brute forcing" a password involves a stolen password database file, potentially from some other site where the user with the same name used the same password.

"Brute forcing" means repeatedly trying random passwords without any idea which one could be right.

I tested this forum during the last wave of compromised account spam. A few failed login attempts lock the account for a few minutes and during this time even the correct password doesn't work. So true brute forcing is slow and unlikely to succeed.

These compromises are caused by using "well known" login/pw combinations, usually obtained from other hacked websites. If you know that some login had a particular password on another site, it's a no brainer to check if the same password also works here.