Eye4Fraud hacked - how to protect yourself

x509 · 07 Mar 2023

I just got this email message. Anyone else receive this message?

In February 2023, data alleged to have been taken from the fraud protection service Eye4Fraud was listed for sale on a popular hacking forum. Spanning tens of millions of rows with 16M unique email addresses, the data was spread across 147 tables totalling 65GB and included both direct users of the service and what appears to be individuals who'd placed orders on other services that implemented Eye4Fraud to protect their sales. The data included names and bcrypt password hashes for users, and names, phone numbers, physical addresses and partial credit card data (card type and last 4 digits) for orders placed using the service. Eye4Fraud did not respond to multiple attempts to report the incident.

However, I have no idea which merchant site or sites were included in this hack because I never heard of Eye4Fraud until now. How useful is a bcrypt hash of a password?

If it matters, I use Dashlane, and most of my passwords are 16+ characters. For my bank and credit card websites, I don't even put those into Dashlane. I force myself to memorize the login info.

Malneb · 07 Mar 2023

Yes brute forcing with a rainbow table unless they salted the hashes which might be more uncommon for basic systems. anything that has money tied to an account login or anything that has the ability to spend your money go and change those passwords.

User2468 · 07 Mar 2023

Your email seems to have come directly, or is a copy/paste from the haveibeenpwned website here. Interesting to note, Google's news search using the search term "Eye4Fraud" didn't show anything for me.

If you don't know what haveibeenpwned is all about, read about it at Wikipedia here.

How useful is Bcrypt? Very useful if the password is fairly complex. Bcrypt, which is modeled after the blowfish cipher was meant not to succumb to a rainbow table attack. It's made in such a way that when you use a GPU to crack the hash it takes a very, very, VERY long time, i.e. the hash and how it's made slows down the cracking ability. Take this 2012 article for example. GPUs have of course vastly improved in performance and speed since then and you can spin up an impressive server full of GPUs at AWS (Amazon Web Services), but even still. If the password you used is fairly complex it will be hard to crack it. Especially if you use a password randomly crated and stored in a password manager that is humanly hard to remember. Never mind adding on top of that an OTP (One Time Password) 2FA (Two Factor Authentication). You can roll 2FA yourself without Authy or Google Authenticator el al using the Keepass password manager and the KeepassOTP plug-in. I use that and the Aegis App plus Keepass2Android. Only caveat is that you MUST from time to time backup all this yourself. I do so to multiple sources and forms of media like USB sticks and optical media believe it or not.

I did some research on password managers a few years ago and came to the conclusion they all sucked in one way or another except one. And that one is Bitwarden. As of this post I highly recommend Bitwarden for those that are not too technically savvy and want a pretty decent password manager without compromise. Bitwarden is cross platform and if you don't have your phone or what ever you can go to Bitwarden's website and grab your passwords. Bitwarden does have a few minor negatives I don't like about it, but so far so good.

For me personally I mostly use Keepass with a ChaCha20 cipher and Argon2 hashing with load of iterations. LOL! The password is also well over 20 random characters and committed to memory only. I do use a paid for Bitwarden account, but just so that I can store data. The free Bitwarden accounts don't allow you to upload data to the vault.

=Final thoughts =

If you ever get an email from haveibeenpwned and know you've had or have an account at the breached website, it's a good idea to then change it no matter how complex you think the password is. If you don't get email alerts from haveibeenpwned, now's a good time to add all your emails in case one shows up on a leaked database and haveibeenpwned gets a hold of it. All my emails are registered there for this very purpose. Trouble with it though is that sometimes you're not too sure which website was compromised unless you do some digging. And no, haveibeenpwned does not spam. Never been spammed from them at all. There are other websites where you can actually buy the leaked data, but they're all super expensive, but are a massive treasure trove for OSINT (Open Source Intelligence).

x509 · 07 Mar 2023

F22 Simpilot said:

Your email seems to have come directly, or is a copy/paste from the haveibeenpwned website here. Interesting to note, Google's news search using the search term "Eye4Fraud" didn't show anything for me.

If you don't know what haveibeenpwned is all about, read about it at Wikipedia here.

Yes I got this email directly from Have_I ... and I do know what that site does.

snip, snip, snip

If you ever get an email from haveibeenpwned and know you've had or have an account at the breached website, it's a good idea to then change it no matter how complex you think the password is. If you don't get email alerts from haveibeenpwned, now's a good time to add all your emails in case one shows up on a leaked database and haveibeenpwned gets a hold of it. All my emails are registered there for this very purpose. Trouble with it though is that sometimes you're not too sure which website was compromised unless you do some digging. And no, haveibeenpwned does not spam. Never been spammed from them at all. There are other websites where you can actually buy the leaked data, but they're all super expensive, but are a massive treasure trove for OSINT (Open Source Intelligence).

I don't see any point to spending serious bucks to buy the leaked data. My bank and credit card websites are not even in my password manager. In any case, the credit card site has pretty serious fraud detection that works pretty well to shut down the bad guys.For stores, etc, I use 2FA and 20 char passwords.

I can only hope that all the merchant sites that use this site are taking phone calls from the competitors of this service. A breach like this one is a gift to those competitors' sales people.

Marie SWE · 11 Mar 2023

I have the principle, change passwords at least every six month even with Two Factor Authentication. Sites that don't have that.. change password once a month...
When i site get hacked it can sometimes take a while before it gets public knowledge, as the company can be embarrassed about it or they have to fix the breach before they go public so they don't get attacked even more meanwhile they solves it... or ever worse, they don't even know they have been hacked.

As for GPU hash cracking.. yes it does take time if you use your PC.. but today you can rent serious GPU power thru server-farms. so its no longer a matter of how big rig you have.

as for password managers.. they is only good until the day they get hacked/leaked.. everything online is someone else computer..

Security isn't a destination, it is sadly a continues battle.
So even if you just get a tiny-tiny feeling while eating breakfast that something is wrong.. change passwords. You van never change password to often.. And never-ever-whatsoever reuse an old password. that is really stupid for real.

Compumind · 12 Mar 2023

x509 said:

I just got this email message. Anyone else receive this message?

In February 2023, data alleged to have been taken from the fraud protection service Eye4Fraud was listed for sale on a popular hacking forum. Spanning tens of millions of rows with 16M unique email addresses, the data was spread across 147 tables totalling 65GB and included both direct users of the service and what appears to be individuals who'd placed orders on other services that implemented Eye4Fraud to protect their sales. The data included names and bcrypt password hashes for users, and names, phone numbers, physical addresses and partial credit card data (card type and last 4 digits) for orders placed using the service. Eye4Fraud did not respond to multiple attempts to report the incident.

However, I have no idea which merchant site or sites were included in this hack because I never heard of Eye4Fraud until now. How useful is a bcrypt hash of a password?

If it matters, I use Dashlane, and most of my passwords are 16+ characters. For my bank and credit card websites, I don't even put those into Dashlane. I force myself to memorize the login info.

If you were not a victim, then just send to your junk/spam folder and delete. Do not click on any links in that email.

Done.

User2468 · 13 Mar 2023

Constantly rotating passwords is highly unnecessary unless a password was deemed compromised.

Keepass is not a cloud storage that's why I use it and back it up myself.

Marie SWE · 13 Mar 2023

F22 Simpilot said:

Constantly rotating passwords is highly unnecessary unless a password was deemed compromised.

Keepass is not a cloud storage that's why I use it and back it up myself.

Yeah it is.. but.. how do you know it hasn't been compromised, if they don't go out with the information if they have been hacked.. or worse if you have been a selected target.
That's why i change passwords on a regular basis.

User2468 · 13 Mar 2023

Okay...