A lot of us got it.
Either delete and ignore or use the report link. If everyone assumes nobody else has contacted Eddie, he could end up with hundreds of emails. I'd be annoyed if it were me... I'm not sure how vBulletin handles it, but in theory the report link should deal with the possibility of hundreds of reports in a sensible way that won't be overwhelming.
Yeh had it, deleted it. Didn't click a link, not sure much could happen by doing that? Unless something is downloaded or any details are asked for.
Never quite sure of the issues with scripts on sites. In my desktop I run Firefox with no script but on a mobile, it's just chrome with no such extension. Tried Firefox mobile and didn't like it for some reason.
Indeed bit of a strange one this. Seems an odd target for a hack though.
Nothing my end but another thread doing the rounds stating the same. Cheers for the heads up.
Same here, I'll delete it.
Deleted
Just got one about 30 mins ago - looked odd and obviously not genuine so will be deleted.
So if you haven't received one yet, you probably will...
Another sufferer! I think TZ-UK has arrived in the www!
Now people want to hack in
Deleted.
Finally got it entitled 'hi'. Straight in the bin......
I got this from Dean in Canuckistan:
"Attention! If you still dont know about wide range of goods for electronics, auto, clothes, toys, health, garden, sports at the lowest producer's prices then you should go <link omitted>"
I already know about wide range of goods for electronics, auto, clothes, toys, health, garden, sports at the lowest producer's prices so I didn't click it.
I did change my pw though.
I thought I had a new friend!
Deleted
Same here
Deleted
Deleted. Thought I had a new friend for a moment.
Deleted - Wondered what that was!
I got the same message as the OP, just deleted it after seeing this thread.
Just checked Dean's activity on TimeZone and WUS. Last activity seems to be in 2007 and 2008. I don't think we'd miss him a whole lot if his account would be deleted.
Deleted
Looks like the message that everyone is getting has changed.
I checked out the earlier one and it goes through a series of redirects and ends up at a site selling some sort of home protection kit or similar (using a dodgy promotional video and lots of fake testimonials). I didn't see anything dodgy in the Javascript but must admit I didn't look too hard.
The hacker appears to be an affiliate of the site and is hoping for kickbacks when hordes of eager message recipient buy whatever it is.
I'll send the source to anyone who's interested. It's harmless to look at it as text. If you're curious, I used wget to download it.
I got it.
Deleted it after looking over his profile.
The account has now been disabled but I must ask that you ensure you have a strong password.
Eddie
Whole chunks of my life come under the heading "it seemed like a good idea at the time".
Cheers , deleated...
Received and deleted.
Well, most of those have slightly more sophisticated intrusion detection, but if you have a weak password on any site where you can post messages, it's going to be a target for spammers. Sites like this, which run common forum software like vBulletin or phpBB are especially at risk because so many sites run the same software it makes them a big target, and they don't have the security resources of, say, Facebook. The fact that so many people are getting these "5 failed logins, your account is locked for 15 minutes" emails suggests that TZ-UK has got itself in the sights of some spambot network, so these attacks are going to continue quite relentlessly from now on.
Received and deleted.
Just got one. Dated today. With a link to police auctions for suvs and other vehicles.
Deleted mine
And I have just deleted the one I received too!
I also had not one but two saying Hi changed password again , one was from dean ,another of whom i can,t recall so we may have another hacked account.
Received and deleted !!
If anyone notices spam coming from a different account, please note who it came from in this thread - just to save another 300 "me too" reports being posted, I think we can all stop that now. Also, remember to use the "report" link - that's what it's there for, although it's pretty tiny and hard to spot if you don't know where it is. It's a triangle icon under the message, next to "forward".
Just to clarify on the passwords thing, you don't need to change your password every time you get one of these messages. You need to change your password if your current one is weak, so you don't end up being the next hacked account spamming everyone and ultimately getting blocked by Eddie.
Make sure if you change your password that you choose something strong. There's no point in changing one weak password to another weak password. This will not reduce the chances of you getting hacked in the slightest. I posted some tools earlier to help choose a password that is both strong and easy to remember.
Note that since we're mainly concerned about automated attacks and not ones that are directed at you personally, it's OK to make your password stronger by including things like your birthday. Never do that on say, your bank account, but for an online forum where spammers are the main problem, it's OK to a degree. Think of it like this: 4 digits from your birthday is not as strong as 4 totally random digits, but it is stronger (and easier to remember) than one random digit plus an exclamation mark, unless someone has access to personal information about you. Don't use your birth year if you have it in your username though!
To understand this, bear in mind how spambots work. They will generally try a few of the commonest passwords and they will also try password=username (surprisingly a lot of people do this - don't!). If they are sophisticated, they will then try the same, plus any digits found in your username, and common endings people use to get around password-strength enforcers, like "1" and "1!". This incidentally, is partly why most of those enforced password strength rule sets that pointy-haired IT managers love are a really dumb idea.
Here's a great article on picking a password.
The short version: a password made up of a three word phrase is neigh on impossible to crack.
Er, yes, well some decent advice there but don't trust any article that gives "secure forever" as a metric. But yes, 3 uncommon words *not* in the order they'd normally appear in an English sentence will be pretty secure, although the number of characters matters too, so you don't want to just pick short words if you do that. You don't need numbers or special characters though.
"this is fun" however is not a very secure password (a) because of the order of the words (the author apparently doesn't know about Markov chains); (b) it's quite short; and (c) because it's been published online as a "secure password" (amazing how many people will go ahead and use it instead of making up their own).
The nerds amongst you will recognise this as the canonical source of "words not numbers" passphrase wisdom:
http://xkcd.com/936/
This gets reference by security researchers a lot. Some of the figures aren't entirely correct, but the general principle is sound.
Of course, four words is also a lot to type in, so slow typists may want less words and more numbers/characters. A good technique is to substitute a symbol or number for a word, e.g., "to" -> 2, but don't do this with overly obvious phrases like 2B|!2b (that's "to be or not to be", in common programming symbols).
How do these people crack the passwords?
Brute forcing (i.e. trying all possible combinations) with weighting taken from knowledge of common usage patterns combined with obvious/common passwords.
By "common usage patterns" see that kind of thing that robt is advising against using.
It may also help to make sure that your username and/or password are not in this list: Today I Am Releasing Ten Million Passwords
Yes, they are typically used to create AI bots that write what looks like real English, but it's all just based on the statistical chance that a certain word (or letter even) will follow another. When it comes to password complexity there are two concepts that often get muddled up: one is "keyspace" which is the total amount of possible combinations, e.g., for an 8-character ASCII password this is 96^8. Entropy on the other hand is the amount of randomness, so if you have perfect entropy then all passwords will be generated completely randomly and therefore, there is no better way to guess a given password than to try all 96^8 combinations one-by-one (brute force).
However, since people don't pick passwords totally randomly, there's actually less entropy in a typical password than the entire keyspace. Less entropy means it's easier to guess passwords because you can assume that all passwords will tend to have certain common patterns, and focus your search in the area of those patterns. Since Markov chains generate things that look a bit like English text, they are better than just searching for all possible combinations of letters in no particular order: it increases the chance that you'll find a password early in the search rather than later. Anything that follows a predictable pattern by definition has less entropy than something that is less predictable, regardless of what makes it predictable. Chunks of English text are of course inherently more predictable than random nonsense.
Reliance on brute force isn't a guarantee either, since there's no way to know how far along the search has to go before it gets to your password. But in theory, if your password has an entropy of 10 bits, that means it falls within a search space of 2^10 combinations, so 50% of the time it will be found in 2^9 attempts (it might take all 2^10, or it might be found on the first guess). Something is considered secure if the entropy is high enough that it would take some insanely long period of time to try half of all the possible combinations. Most measurements for strong passwords are actually stronger than they need to be for websites though, because a GPU with an encrypted password can try combinations insanely fast. A website can only respond so fast and, as some have found out about this site, the accounts get locked out for 10 minutes after 5 failed attempts (there are other reasons why that's not a great idea though, it's better if the system just takes 3 seconds per login attempt and limits connections per IP address).
One of the things about a site like this is that there are lots of users, so the most effective strategy for a spammer isn't actually to try to pick one person and then try 10,000 password combinations until they find the right one. Their best strategy is to pick the most common password and try to access every account with that password, then pick the second most common and try every account again, and so on. So really, this is a game of trying to be more secure than everyone else. In that sense it's a little bit academic to worry too much about the absolute strength of a password, but at the same time you don't want to believe misconceptions like "P4ssw0rd" is stronger than "password", since both of those will be in the top 10 password lists anyway. Plus, all word-based attacks will try common number substitutions: all this buys you is that instead of being in the top 10 list, now you're in the top 100 list.
Since I sort of touched on it but skipped over it, I should clarify that the reason people believe that including numbers and special characters in your password makes them stronger is that, in theory, this increases the size of the keyspace. If you know that a password only has letters, then an 8-character password is 36^8 combinations. If there are some uppercase and some lowercase, it's now 72^8, and so on. Note that even this gives a good example of how entropy differs from keyspace, because usually people don't use a random distribution of uppercase and lowercase letters. It's much more common to have mostly lowercase and one or two uppercase letters. That means even if you know the keyspace is 72^8, you'd never actually need to search all those combinations because you know that many of them contain too many uppercase letters to be likely passwords.