Alert of data breach notice for this site "shop.hunterowners.com" - change your password(s)

Jun 14, 2010
2,081
Robertson & Caine 2017 Leopard 40 CT
I received a darkweb alert that my email is one of the userIDs contained in a breach. Apparently, the userID/passwords of "cit0day - shop.hunterowners.com" are available for sale on the darkweb.
I recommend you change your password. If you use the same password for other things (you should not do that) I recommend to change it in all those other places, too, and start using a password manager so that you can easily use unique passwords everywhere (just remember one long password for your password manager).
Also, I recommend you activate two-factor authentication on all logins that support it -- especially your email.
 

Phil Herring

Alien
Mar 25, 1997
4,918
- - Bainbridge Island
IMHO, these "dark web" monitoring services are a scam. Details here:


If you really want to track breaches, and want data from an organization that doesn't profit from your fear, check out https://haveibeenpwned.com/

We monitor their data daily for incidents involving our own email addresses.

Our site was breached once, ~12 years ago, and it was an extremely expensive and unpleasant experience. It is my opinion that the data from that old breach, or other sources, continues to pop up. Since then we have spent considerable time and money to build the strongest fortress we can around the site.

There are no credit card numbers -- zero -- on our servers
We block all requests from suspect countries like Russia, China, Iran, Vietnam, etc.
We employ a third-party firewall that specializes in detecting and blocking "injection" attacks, the common source of breaches
If an attempt gets beyond that firewall we have our own detection system in place to block and log hacking attempts
We use software at the operating system level to scan for malware and modified files
Passwords on the server are encrypted
File permissions are set to comply with best practices

Even then, passwords have to be decrypted. All of that is possible, of course, but the question is whether the reward is worth the effort.

We will thoroughly investigate this incident and I'll report back if we find anything.

P.S. I agree with Captain Larry 100%: a password manager that enables long, complex passwords that are unique for each site is absolutely the way to go.
 
Sep 22, 2018
1,869
Hunter 216 Kingston
P.S. I agree with Captain Larry 100%: a password manager that enables long, complex passwords that are unique for each site is absolutely the way to go.
I would add one caveat to this sound advice. Many “password managers” allow and even promote saving your password “vault” on their “online” environment. The logic is that you have access to your complex passwords from various devices.

What happens if their environment gets hacked or goes “offline”. My vault is local and I manually sync any new or changed passwords. :)
 
Jun 14, 2010
2,081
Robertson & Caine 2017 Leopard 40 CT
What happens if their environment gets hacked or goes “offline”. My vault is local and I manually sync any new or changed passwords.
There are two common models to address this:
One is that your personal "vault" in the server database is encrypted and the private key is your own master password, which only you know, and is not stored on their server. If you make that long (24+ characters) it would require a very high end computer (supercomputer) and take a long time to decrypt your own vault.
Another is that your devices sync directly to each other, and the provider's server only serves as a secure broker for the connection between your devices. So your passwords are never stored on the provider's server. Your database(s) are encrypted using the strongest available methods.
Either way, it's lower risk than using a spreadsheet, sticky notes, or re-using the same passwords, or variations of one password theme using a pattern (e..g. JohnDoe123, JohnDoe125, JohnDoe127 etc).
 
Last edited:
May 17, 2004
5,028
Beneteau Oceanis 37 Havre de Grace
I would add one caveat to this sound advice. Many “password managers” allow and even promote saving your password “vault” on their “online” environment. The logic is that you have access to your complex passwords from various devices.

What happens if their environment gets hacked or goes “offline”. My vault is local and I manually sync any new or changed passwords. :)
We could have a whole in depth discussion on this topic itself. I will say that in the case of most password managers (LastPass for example), they hold the “vault” but in a format that they (or an attacker) can’t read at all. The vault is encrypted using a combination of your username and password. Lastpass doesn’t hold your password, so even if their server gets hacked and loses everything, an attacker would still need your password to get decrypt anything. Definitely use a very strong password for that. Yes there is still some residual risk there, but there’s a tradeoff between that residual risk and the convenience it provides. I prefer the convenience of having the vault available on any device I use, but the important thing is that the user makes that choice for themselves knowingly.
 
Sep 22, 2018
1,869
Hunter 216 Kingston
It wasn’t my intent to launch a debate :).

Even though the advice of having unique, hard to guess, “secured” passwords has been around for decades it’s been my experience that many people don’t bother as “its too much work”. I’ve had to explain to lots of people that the new computer they just brought home from the store doesn’t “know” all their old login credentials. The common solution is they use the same credentials set for every website, write them down etc. Human nature I guess;)

Password managers take most if not all the “work” out of that so a great tool. It puzzles me why this isn’t baked right into the OS but that’s another debate ;)

So my opinion for what it’s worth - buy the PW manager that best fits your mindset, but buy one :)
 
Last edited:
Jun 14, 2010
2,081
Robertson & Caine 2017 Leopard 40 CT
IMHO, these "dark web" monitoring services are a scam. Details here:


If you really want to track breaches, and want data from an organization that doesn't profit from your fear, check out https://haveibeenpwned.com/

We monitor their data daily for incidents involving our own email addresses.

Our site was breached once, ~12 years ago, and it was an extremely expensive and unpleasant experience. It is my opinion that the data from that old breach, or other sources, continues to pop up. Since then we have spent considerable time and money to build the strongest fortress we can around the site.

There are no credit card numbers -- zero -- on our servers
We block all requests from suspect countries like Russia, China, Iran, Vietnam, etc.
We employ a third-party firewall that specializes in detecting and blocking "injection" attacks, the common source of breaches
If an attempt gets beyond that firewall we have our own detection system in place to block and log hacking attempts
We use software at the operating system level to scan for malware and modified files
Passwords on the server are encrypted
File permissions are set to comply with best practices

Even then, passwords have to be decrypted. All of that is possible, of course, but the question is whether the reward is worth the effort.

We will thoroughly investigate this incident and I'll report back if we find anything.

P.S. I agree with Captain Larry 100%: a password manager that enables long, complex passwords that are unique for each site is absolutely the way to go.
Your response to my initial post was welcome, Phil. I'm glad you take responsible and appropriate measures. As a small business, there are practical limits on what can be done.
 
  • Like
Likes: Hunter216

WayneH

.
Jan 22, 2008
1,039
Tartan 37 287 Pensacola, FL
It may not be as safe as a password manager but I keep a spreadsheet of my passwords on the laptop under a password. Yes, if they hack my computer, I'm screwed. BUT I know how to get to my passwords because I am NOT using Microsoft 365 for my spreadsheet.

But then, I just helped the wife fix her Firefox after the cat walked across her keyboard and set her browser to "Enterprise Settings". LOL
 

WayneH

.
Jan 22, 2008
1,039
Tartan 37 287 Pensacola, FL
It's cats and warm keyboards. It's just our tough luck that we are running a browser and she knows how to program it. :huh:
 
  • Like
Likes: Phil Herring