I'm not sure if this is the right forum for this, but someone seems to be trying to get into my ebay account.
Ive got an email saying about how ive forgotten my password for ebay, and the origin of this was from 174.20.82.33 which appears to be from somewhere in Minnesota.
Should I be worrying about this?
And is there anything I should do?
Usually with those "forgotten password" emails, you can safely ignore them and the reset token will expire after 24 hours or so. If you have a simple or guessable password for eBay, change it to something that's hard to guess/crack and that you don't use elsewhere as soon as possible. Change your PayPal password to something different.
It could also be that the password reset email itself is a scam, with malicious links, so make sure to go to eBay manually to change your password and not via any links in the email.
Change your password to something around 10 characters that incorporates both uppercase and lowercase letters and substitute letters for numbers.
For Example
H3xu5F0rum5
hard to crack
It's a bad idea to substitute letters for numbers and think that it gives you any extra security - for starters this is really obvious, and additional numbers don't add that many extra combinations to try for brute force approaches. Better to use unrelated combinations of words.Originally Posted by Lister
Something like "H3xu5F0rum5" would be a bad password as it suffers from both of those problems (simple number substitution and related words).
+1 This is particularly true if the 'attacker' is specifically targeting you, as they'll have some information on you already. A base wordlist can fizz through millions of iterations and substitutions in a very short amount of time.
It's also good practice to use non alpha-numerics in your password ($£!%&_ etc.), a lot of word lists and brute force patterns will stick to alphanumeric characters to cut down on time - especially for impatient chancers with low resources.
I'd think (hope) that eBay have a good system to prevent brute-force attacks.
Precisely. It still pees me off when accounts insist on using numbers in a password.
You wouldn't believe the amount of people I come across that have their password set to 'password' or their name or date of birth. Picking a random word that has some meaning to you and using numbers etc is at the very least a hell of a lot better and the average user will be able to remember it.
Yes you could go down the route of 20 character randomly generated passwords, there are free websites that will do this.
Right, well id like to think my password is a pretty secure one, and this is a one off attack
Ill probably just leave it because i dont keep any bank details on my account or anything. In fact Ive only used it once, and Im tempted to delete it now, haha
Thanks for the insight guys!
Agreed. Kalniel is dead right that "H3xu5F0rum5" is far from strong, but it's at least better than "ebaypassword", or indeed "password".
And, by the way, I would believe how many you come across using "password", or other similar phrases. During some security testing, I came across a number of wifi routers run by businesses that still used the default router password and username. Encryption was enabled, though.
As for Dan's concerns, I'd endorse virtuo's answer.
Don't forget, it might also be a mistake.
Sometimes people mistype their email addresses, obviously if you have your own domain thats unlikely, and if you're on one of the free providers this could be why.
This can also happen if you have inadvertently used a VPN or proxy. Some corporate networks also route all of their traffic through the US so that can be a issue if you've tried to login from work.
I wouldn't say it's a very short amount of time. Checking through millions of lines is going to take a good 6+ hours. Either way, agreed on the rest.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote
