Account hacked please help

[Arielle Popstar]

8 hours ago, CaithLynnSayes said:

I'm a software developer/pen tester. If SL logins would be "hackable", I would know. - I'm aware that sounds incredibly arrogant, but i'm sorry, that's how it is. You don't need to be so touchie and hypersensitive about it.  My intend is not to make anyone look foolish or bad.

Phishing isn't hacking. Hacking is breaking into a server and stealing or even dumping (unprotected) data. Phishing is... fishing, laying out a trap. Those are very different things. Don't be so triggered about it, it's really not a big deal. If anything, you've learned something today. You're welcome 👍

 

Pen test(er): A penetration test, colloquially known as a pen test(er) or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. The test is performed to identify weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths

(Source Wikipedia)

And it would be pretty out of touch not to recognize that plenty of companies with large staffs of developer/pen testers have been hacked who claimed they would know if their databases were hackable and yet they didn't. How much more so with a company that normally takes years to fix bugs in their platform and often seems incapable of bringing in features to their web services that would simplify every one's life immensely. How confident can we really be that they are on top of any new or even older vulnerabilities that come to light? Their track record in many regards has not exemplary. I personally would have much more confidence when I see that any case of hacking/phishing is scrutinized closely to make sure there isn't a pattern pointing to problems then this attitude some have of "It wouldn't happen on my watch!". Those are the ones on whose watch it is more likely to happen.

[Kalegthepsionicist]

Hacking is an activity to penetrate server security, and hackers don't just work in front of a PC. They work irl, collect data and have network and they don't hack game id. Not worth it, for the strenuous effort they put in.

ex

 company send hacker to destroy  others database, they dont stela your id, they delete all data , they attack LL not you as a user

Edited March 2, 2022 by Kalegthepsionicist

[Silent Mistwalker]

19 hours ago, bigmoe Whitfield said:

accounts are not hacked, they are phished, or they have used the same password in many places,  if any body remembers from 2006 when SL did have it's passwords hit,  it was like 12 accounts, they forced every one to change their passwords before they could log back in. 

And then I changed my password again after I was able to log in just to thumb my nose at LL.

 

 

 

 

🤭

[Kathlen Onyx]

11 hours ago, CaithLynnSayes said:

I'm a software developer/pen tester. If SL logins would be "hackable", I would know. - I'm aware that sounds incredibly arrogant, but i'm sorry, that's how it is. You don't need to be so touchie and hypersensitive about it.  My intend is not to make anyone look foolish or bad.

Phishing isn't hacking. Hacking is breaking into a server and stealing or even dumping (unprotected) data. Phishing is... fishing, laying out a trap. Those are very different things. Don't be so triggered about it, it's really not a big deal. If anything, you've learned something today. You're welcome 👍

 

Pen test(er): A penetration test, colloquially known as a pen test(er) or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. The test is performed to identify weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths

(Source Wikipedia)

HAHA, who are you trying to fool? Maybe Fortune 500 companies that have had data breaches should hire you to be their Pen Tester.

 

 

Edited March 2, 2022 by Sam1 Bellisserian

[CaithLynnSayes]

2 hours ago, Sam1 Bellisserian said:

HAHA, who are you trying to fool? Maybe Fortune 500 companies that have had data breaches should hire you to be their Pen Tester.

 

 

I'm very confused and puzzled by what you just said. But then again, i have been before on things you said so maybe there's a pattern eh?

Why would you think i would try to fool anyone? What would be the benefit of that? Are you sure you even slightly understood what is being said here sweetheart?

 

Companies do in fact hire my company/work to do exactly that, pen test their system... So, again. I'm really confused by what you are trying to say?

Edited March 2, 2022 by CaithLynnSayes

[bigmoe Whitfield]

17 minutes ago, CaithLynnSayes said:

I'm very confused and puzzled by what you just said. But then again, i have been before on things you said so maybe there's a pattern eh?

Why would you think i would try to fool anyone? What would be the benefit of that? Are you sure you even slightly understood what is being said here sweetheart?

 

Companies do in fact hire my company/work to do exactly that, pen test their system... So, again. I'm really confused by what you are trying to say?

Finding ways in is always fun,  I like challenges to systems.

[Gwin LeShelle]

On a sidenote my husband is working as SQTM+A  and asked about it he simply put "it has a username (usually well known to others on the web because you SLers are famecrabs) and a PW of COURSE its hackable if someone wants to, every site/account is when you just want to put enough time and effort into it"

I really do not know where all this "SL is unhackable" comes from always, yes maaany click weird links way too fast because, here is this Youtube link a "friend" sent or here here is this seemingly MP link in some "merchants" profile, oooh look super cheap sale spam phishing link in discord weee ooor look here this Lumiya version I found fallen off the back of some shady truck!

And I really doubt that SL in general is that interesting to hackers nower days, but single people might be, just for the purpose for hurting them, many people in SL met people on here that are not as trustwworthy, and even stalkerish and harmful and seem to hold personal vendettas, I totally would be not surprised by such people trying such things, since they already know your Login name and not many people use really good PWs  If SL was unhackable why did they bring in 2FA into the game at all?  

But I also think that this discussion takes away from the OPs question/need for help!

But s/he did all they could to fix it I guess, PW change etc. and contacting SL and no matter how their account got compromised I feel sorry for them and really hope they got it back fully and happily...but I really doubt LL can or will do much about the missing $L sadly  

[Phil Deakins]

On 3/1/2022 at 6:01 PM, CaithLynnSayes said:

I'm a software developer/pen tester. If SL logins would be "hackable", I would know. - I'm aware that sounds incredibly arrogant, but i'm sorry, that's how it is. You don't need to be so touchie and hypersensitive about it.  My intend is not to make anyone look foolish or bad.

It wasn't me who was "touchie and hypersensitive about it". It was you when you fault-finded the OP by assuming that you knew things about the situation that you definitely did not know. I merely responded to it

 

On 3/1/2022 at 6:01 PM, CaithLynnSayes said:

Phishing isn't hacking. Hacking is breaking into a server and stealing or even dumping (unprotected) data. Phishing is... fishing, laying out a trap. Those are very different things.

Phishing is a method of hacking. Hacking an account or system is the act of finding a way into it without the owner's permission or knowledge. It includes many methods. It's all hacking. A long time ago, I hacked into quite a lot of accounts in a multi-user game system simply by writing and running a program that tried to log into all the system's accounts by trying a number of common/obvious passwords with each one. I also had a book about hacking, which described methods including the waste bins and personal information that I mentioned earlier. It's all hacking, and phishing is just another way of doing it.

[CaithLynnSayes]

55 minutes ago, Phil Deakins said:

Phishing is a method of hacking. Hacking an account or system is the act of finding a way into it without the owner's permission or knowledge. It includes many methods. It's all hacking. A long time ago, I hacked into quite a lot of accounts in a multi-user game system simply by writing and running a program that tried to log into all the system's accounts by trying a number of common/obvious passwords with each one. I also had a book about hacking, which described methods including the waste bins and personal information that I mentioned earlier. It's all hacking, and phishing is just another way of doing it.

 

I'm not trying to be arrogant bud, but... no, just... no. But i won't argue with you about it, if you wanna believe that a guessing game and phishing are the same as hacking, then sure... to you it is.

[Silent Mistwalker]

These days, they even call the little tips and tricks our moms taught us for baking and cooking hacks. 

They're not hacks. 

That is not how any of this works.

[Phil Deakins]

12 hours ago, CaithLynnSayes said:

I'm not trying to be arrogant bud, but... no, just... no. But i won't argue with you about it, if you wanna believe that a guessing game and phishing are the same as hacking, then sure... to you it is.

Ok. You have your own definition of what hacking is and isn't, perhaps because of what you do, and you are perfectly welcome to it. I and others here disagree with that narrow view, as does the book on hacking that I mentioned, plus a few definitions that I found by searching in Google, such as "the act of compromising digital devices and networks through unauthorized access to an account or computer system". 'Hacking' is a blanket term and not confined to a specific type of activity, but I'm happy to agree to disagree if you like.

Edited March 4, 2022 by Phil Deakins

[CaithLynnSayes]

20 minutes ago, Phil Deakins said:

Ok. You have your own definition of what hacking is and isn't, perhaps because of what you do, and you are perfectly welcome to it. I and others here disagree with that narrow view, as does the book on hacking that I mentioned, plus a few definitions that I found by searching in Google, such as "the act of compromising digital devices and networks through unauthorized access to an account or computer system". 'Hacking' is a blanket term and not confined to a specific type of activity, but I'm happy to agree to disagree if you like.

You found a thing on the internet that agrees with you. Be it true or not, you found it so you use it as a gotcha... Sure thing bud. As i said, you believe whatever you want to believe  

*pads you on the head*

[Qie Niangao]

On 3/1/2022 at 2:05 PM, CaithLynnSayes said:

*sigh*... <deep breaths>... inworld media has no "physical" connection with your inworld logged in account. It's just a fancy web browser within your viewer. The potentially dodgy website you're opening on it has no clue it is being opened from within inworld SL, let alone what SL account is doing it. Fact check false.

Most “dodgy websites” won’t care, but SL media, especially parcel media, especially scripts using PARCEL_MEDIA_COMMAND_AGENT are notoriously capable of associating a specific SL account with a web session and all that comes with it. This likely has nothing to do with what ails the OP’s accounts at the moment, but just because the average web threat isn’t interested in SL doesn’t preclude a threat with specific SL interests from using a media-enabled web vector to target a particular SL resident with highly specific context for phishing. More users should be more cautious about enabling SL media, especially if they care about privacy.

Now, Lumiya. As far as I know, the source code for this was never released, was it? If not, do we know if anyone has done long term monitoring of all network connections it establishes? Given the current world situation and the country of origin of its developer, honestly, I would not use this program without some investigating I’m far too lazy to conduct myself. (I have used it years ago and yeah, it’s quite an amazing feat of development, but personally… I hope the Lab has its official mobile viewer available soon.)

[belindacarson]

9 minutes ago, Qie Niangao said:

Most “dodgy websites” won’t care, but SL media, especially parcel media, especially scripts using PARCEL_MEDIA_COMMAND_AGENT are notoriously capable of associating a specific SL account with a web session and all that comes with it. This likely has nothing to do with what ails the OP’s accounts at the moment, but just because the average web threat isn’t interested in SL doesn’t preclude a threat with specific SL interests from using a media-enabled web vector to target a particular SL resident with highly specific context for phishing. More users should be more cautious about enabling SL media, especially if they care about privacy.

Now, Lumiya. As far as I know, the source code for this was never released, was it? If not, do we know if anyone has done long term monitoring of all network connections it establishes? Given the current world situation and the country of origin of its developer, honestly, I would not use this program without some investigating I’m far too lazy to conduct myself. (I have used it years ago and yeah, it’s quite an amazing feat of development, but personally… I hope the Lab has its official mobile viewer available soon.)

Never had any suspicion about lumiya

[Love Zhaoying]

4 hours ago, Phil Deakins said:

I'm happy to agree to disagree if you like.

..Phil? Is that really you? Or did someone hack your account? The Phil I remember wouldn't "agree to disagree" so easily!

 

11 hours ago, Silent Mistwalker said:

These days, they even call the little tips and tricks our moms taught us for baking and cooking hacks. 

They're not hacks. 

That is not how any of this works.

"Hacking" used to be a positive term that meant "writing a program". Before my time, and I'm old!! But I know people who always mention this. So - in case nobody mentioned it yet in this thread. 
"Hacking" has a bunch of non-computer definitions too, all unrelated to one another. Cool, innit? Where's @Madelaine McMasters when we need her (them)?

Edited March 4, 2022 by Love Zhaoying

[Love Zhaoying]

On 3/1/2022 at 1:01 PM, CaithLynnSayes said:

You don't need to be so touchie

Reminding me of people who write "Touchie!" but actually mean, "Touché!" 

[Silent Mistwalker]

2 hours ago, Love Zhaoying said:

"Hacking" used to be a positive term that meant "writing a program"

Now your statement is correct as it applies to early journalists.

Original meaning of the work HACK.

 

 

I've been on the planet a little longer than Maddy has.

Edited March 4, 2022 by Silent Mistwalker

[Love Zhaoying]

25 minutes ago, Silent Mistwalker said:

Now your statement is correct as it applies to early journalists.

Original meaning of the work HACK.

 

 

I've been on the planet a little longer than Maddy has.

...thanks for finding and removing my Nits! 😹

[Silent Mistwalker]

15 minutes ago, Love Zhaoying said:

...thanks for finding and removing my Nits! 😹

You're welcome. Everyone needs a little help now and then.

[Love Zhaoying]

30 minutes ago, Silent Mistwalker said:

You're welcome. Everyone needs a little help now and then.

Exactly! You're a smart one.

[Love Zhaoying]

On 3/1/2022 at 1:01 PM, CaithLynnSayes said:

I'm a software developer/pen tester.

Unlike some, I bet you know the difference between a pineapple and a pen. Why anyone could confuse the two, is beyond me. Favorite pen: Fisher Space Pen! 

[Nalates Urriah]

@shippo849 The code for the viewer, actually all viewers, is online. Anyone can see how the viewer goes about logging in.  So we know that the viewer accepts what you type for a password and encrypts it then sends it across the net. Since this is using the HTTPS protocol the computer encrypts the encrypted string again. The SL login server receives the double encrypted string and the network side decrypts the HTTPS level then checks to see if the remaining encrypted string matches the encrypted string it has on file.

So getting the password by intercepting your network communications is for practical purposes... impossible.

The media that is used by the viewer can provide a black-hat your IP address. This would allow them to somewhat monitor your network communications and give then a target for attempting a crack.

The strong network encryption leaves two possible places for a crack to happen. In the SL servers or on your computer. Those are also difficult hacks. The Lab takes care of their servers and is cautious to not let employees do things that would let foreign software into the system. If someone does manage to crack SL's security we would all be getting hit. So, that leaves something you did. But, what? Several of us speculating.

There are some questionable viewers out there. Using any copy-bot viewer is high risk. If the author of the viewer is willing to steal other people's stuff, why would he/she not steal your password? Its easy to program a viewer to send the ID & password home the black-hat. We have caught a couple of vigilante groups in SL that placed code in the viewers to help get information on users and access to their accounts. Which is why we are cautious to use only well known viewers.

Getting a virus in your computer is also difficult. The AV software we have makes that very difficult too. Clicking a bad link on a web page (they sneak stuff into web ads) or email may open you to an infection risk. But, your AV software will generally save you. So, this too is an unlikely vector for you being cracked.

What is common and much easier for black-hats to do is get lists of IDs and passwords from those that have made big hacks. Those lists are a sell-able commodity.

There are companies that sell the service of alerting you when one of the businesses or services you use has been cracked. Some password managers provide a list of the sites you are using that have been cracked. Annoying that companies withhold that information.

With those lists they can often combine them with other lists and sort by IP address. Studying the passwords one is using the Black-hat can get an idea of how you format your passwords. This gives them a huge edge in brute force attacks. So, using last name spelled backward with a year number as a suffix is a pattern they can use in an attack. Or if you use the same password in many places then you are an easy target.

You'll have to think about how you create passwords, where you use them, and who in that field may have been cracked. You may never know how your account was cracked. You know it was, so you are doing something risky. Change.

Passwords need to be made from upper and lowercase letters, numbers, and special characters (!@#$...). The length of a password is important. For any account with access to money use 10 or more characters. (~89^10= 31,181,719,929,966,183,601 possible combinations).

With password managers you can use their password generator. Plus there are free generators online. But with a manager, you don't have to remember or type long random password strings, which can be really tedious.

 

[Phil Deakins]

On 3/4/2022 at 8:32 AM, CaithLynnSayes said:

You found a thing on the internet that agrees with you. Be it true or not, you found it so you use it as a gotcha... Sure thing bud. As i said, you believe whatever you want to believe  

*pads you on the head*

I sincerely hope you weren't thinking of padding me on the head. I prefer to be patted on the head if it's all the same to you.

No I did not "find a thing on the internet that agrees with [me]". I found multiple things there that agree with me and others in this thread. I thought that quoting one of them would be sufficient. It seems I was mistaken. Plus the book on actual hacking agrees with me, so it's you who is the odd one out, not me

*pats you on the head*

 

21 hours ago, Love Zhaoying said:

Phil? Is that really you? Or did someone hack your account? The Phil I remember wouldn't "agree to disagree" so easily!

Yep. It's really me. There are one or two idiots here who have been given the ability to suspend people, so I think it's better not to get into it these days.

[CaithLynnSayes]

8 hours ago, Phil Deakins said:

I sincerely hope you weren't thinking of padding me on the head. I prefer to be patted on the head if it's all the same to you.

You know what, i wasn't sure if it was pad or pat, my English isn't perfect. thanks for clarifying

I meant something like this:

 

 

We'll just agree to disagree  

[Madelaine McMasters]

On 3/4/2022 at 6:48 AM, Love Zhaoying said:

..Phil? Is that really you? Or did someone hack your account? The Phil I remember wouldn't "agree to disagree" so easily!

 

"Hacking" used to be a positive term that meant "writing a program". Before my time, and I'm old!! But I know people who always mention this. So - in case nobody mentioned it yet in this thread. 
"Hacking" has a bunch of non-computer definitions too, all unrelated to one another. Cool, innit? Where's @Madelaine McMasters when we need her (them)?

Though I'm not as old as @Silent Mistwalker, I have hacked firewood... and mucus. I've also ridden on a hack (horse) and in a hack (coach). I think I could argue that the current technological use of "hack" is becoming hackneyed.

I wasn't gonna weigh in on this discussion, as my understanding of "hack" and "phish", weren't based on any real research into the terms. But, I did just query my favorite cousin during the course of a phone chat planning her return visit to Wisconsin for St. Patrick's Day. She's an FBI agent, lawyer, and psychologist, half Irish, and all nerd. I asked her if the FBI treated hacking and phishing as different activities.

"Yes".

I asked for more detail, which pretty much aligned with my existing understanding. The complexity of the subject makes it impossible to use these terms with great precision. They can overlap, and laws governing cyber crimes often predate the technologies used to commit them and the terms now used to describe them. Still cyber crimes reflect age old behaviors. Fraud, theft, trespassing, destruction of property, ransom, libel, you get the idea.

In my cousin's practice, hacking is a primarily technological endeavor, generally not directly involving people. At the other end of the technical-social engineering spectrum are classic cons or scams, in which someone obtains something of value by deceiving others, who are weak enough links to render the technological aspects relatively uninteresting to the criminal. The Nigerian Prince is a classic scam that happens to use technology. Email fraud is just mail fraud with an E.

Phishing falls nearer to cons and scams than hacking. The kind of engineering required to make it work is social, not technical. The methods used to combat such crime are vastly different, as is the nature of internal resources used to investigate it. So, the FBI treats hacking, phishing, and scamming as different enough to continue to warrant their own separate words, though my cousin expects the language to continue evolving.

I also learned a new term..."shoulder surfing". Though the first automated teller machine was fielded in 1969, it wasn't until the arrival of the internet (and memes, hashtags, etc) that shoulder surfing became a popular term to describe the activity of stealing credit card account and PIN numbers by looking over the shoulder (often at a distance using binoculars) of the victim. I know this behavior goes back much further, as I recall seeing an old B&W movie, probably from the 1940s, depicting a thief getting the combination to a safe by peering through the window with a telescope while the victim opened it.

Edited March 5, 2022 by Madelaine McMasters