Has anyone else gotten a message that their forum password has been compromised and they should change it immediately? I only use this password for this website so it can’t have been stolen somewhere else.
[WEBMASTER EDIT: For all reading along, please see my post below. Please avoid conjecture on such a topic.]
Are you sure the message came from RS. It sounds like a phishing email.
Nothing for me. Do double check who sent you the email.
I’ve gotten that same message intermittently. Maybe every 10th time I sign into the forum. I’ve ignored it, but perhaps I should call the office to confirm if there is a breach.
[WEBMASTER EDIT: Please do not call. Frontline staff is not trained at this technical level, and they have no ability to confirm a breach if there was one. Please see my post below.]
I got this today, too. It came as a surprise.
Let me guess...are you logging in from a Mac or an iPhone?
I've never seen this message before (and was skeptical what I saw it today). Today I was out and about, and I logged in to the forum from my phone (an old iPhone). Typically I log in from a desktop Mac. When I do, I see no such message. Hmmm.
This appears to be a legitimate warning. A quick search for "Compromised password message on my iPhone" yielded many hits, including plenty of questions and responses on Apple's own online support community forum, the first one I read contains this advice:
"Yes, it is real. Note that there is no scam link in it. Go to
Settings/Passwords/Security Recommendations to see this and other
potentially compromised passwords.Apple and other tech companies monitor the “dark web” for compromised
personal data from hacked businesses, and create lists of compromised
IDs, passwords, and other data, then match it against user-saved
credentials. Here is a public site that lets you search for your own
IDs and passwords→https://haveibeenpwned.com "
I have not reset my forum password (nor have I visited the link above from Apple's forum), but will probably reset my password here shortly. But it begs the question:
What should users expect in terms of transparency if/when that inevitably happens (I assume every business with an online presence will be hacked and/or all user accounts everywhere will be compromised eventually...).
Interesting...
Edited later to add: Password reset done (I think)
Thank you, David! I am on an iPhone and the message came directly from that when I logged in today. Not an email. Just a warning that appeared when I logged in with my touch, saying that my password for this site is for sale or something like that, and I should change it immediately. So I did.
Hmmmm. I got that same message on my Apple device when I logged in here, about 10 days ago. And then a notice from our ID monitoring service that the password I have used here for years (which they named and which I only use here) is available on the dark web. So I changed mine immediately.
What's interesting is that those of you who have received this are in the same area.
Thanks for the info. Good reminder to do a password overhaul.
I sent the webmaster a note alerting him about this thread; perhaps he can shed some light on the questions tomorrow.
I've been assuming what happens is that a breach occurs somewhere, in some other system you sometimes use. Your email address (login ID) and password are among the many that are compromised by the hackers who broke into the compromised system. A list of the compromised login credentials eventually becomes available to security people. They want you to know bad guys have access to your credentials. If you have used that same login/password combination on other websites, you'll get a security warning when you log in to any of those other systems (like the RS Forum) even though that system itself hasn't been hacked.
Yes, we are all supposed to have a unique password for each of the systems we access.
I get it occassionally on my Android phone. I've gotten it in the US and in Europe.
I think it's just a security warning to change your password if you haven't for a long time.
Well, lets see.... the password I use on here will allow them to.... post as me? No, credit card info. No real personal info.
Risk rating - Incredibly low
If anyone gets an email like there, as periscope said, don't click on any links but DO head immediately to the website and change your password. It only takes a few minutes and it's much better to be safe than sorry.
I get periodic updates from Google telling me about personal information of mine that has been found in the Dark Web. Most of it is basic stuff like my email address but you still want to be careful and take precautions.
I also use a password manager (1Password) that creates very difficult to break passwords, and also periodically reminds me to change my passwords (about every 6 months), which I do.
Carol—-someone who has your password for your account here can get your email address, and possibly connect that with other personal information. So it is not all that harmless, especially if you use that same email address for your bank accounts (which I do not, thank goodness).
To clarify some things and add some info:
So right now it's a mystery (at least to me). Not a hair-on-fire, go-to-defcon-1 freakout emergency. I suspect staff will provide some details shortly and it'll be no big deal.
That said, this should be a reminder to all to follow reasonable precautions that you already know you should follow:
- If you see this message (and even if you don't) reset your password once in a while.
- Use a strong password (a mix of uppercase and lowercase letters, numbers and punctuation symbols).
- Use a unique password here that you have never used anywhere else.
- Keep your devices' operating systems (and anti-virus software, if you use any) up to date.
- Don't share your login credentials with others.
- Watch out for Dynamic Currency Conversion on every financial transaction.❊
- Wear your money belt or other safety devices when traveling.❊
- Life is short. Have another gelato.
❊ These won't actually help keep you account secure, but you should do them anyway.
Yeps, thanks for the response.
For sure, I do not want to encourage any alarm over this. As indicated above, I think the risk here is extremely low (unless you use the same password for multiple sites, which you should never do).
I will confess that the password I had been using here previously was not terribly strong, I had not changed it in decades, and it could have easily been broken by a simple blunt-force algorithm (eg using human-understandable words like "europeiscool"). So if your passwords are that flimsy, you should go change yours. A reminder that the bad guys are constantly getting badder, stronger, and have better tools than previously.
I don't believe there's any emergency here, but it's a good reminder to do the stuff we all should do, and not do things we shouldn't. Now I'm gonna go have some gelato for breakfast.
David, I hope you can pay for your gelato without having to first go to the bathroom to get money out of your money belt….
I guess I will change my flimsy password, although I have had no notifications(other than that it is flimsy). Sigh.
I'm reposting this lower and making some edits so that it's sequentially after David's latest set of information. (Thanks, David!)
Hey folks, I've been asked to review this thread. There's limited information here to indicate what this actually is. Please don't jump to conclusions that there's been some sort of hack based on such limited information. I've edited a post in this thread to tone this down as online alarmism isn't helpful.
For another example, claims of "I only use X password on Y website" seem reasonable to assert that Y website has a problem on the surface. However, there are a number of other ways beyond an issue with Y website to acquire such a password. Your browser can remember passwords. People write down their password in other apps or email them to themselves. Your device may have malware on it that tracks keystrokes (aka tracks username/passwords), or perhaps you logged in once on a other/public device that has such malware. Or, as David mentioned, perhaps the password just isn't that strong. And I'm not claiming that anyone here specifically is forgetful, but I've had people on the phone and in other conversations say something like "oh yeah, I have used that password somewhere else." Frankly, unless you log in with a custom email address that only is used to log in here (usually requires running your own servers to create a e.g. ricksteves-login @ MyCustomServerAndDomain.net email address) -- and even then it doesn't rule out the possibilities above -- we're in a position to take such assessments (using X password on Y website) with a grain of salt. That's not to say that we don't take e.g. David's experience seriously as it's worth investigating.
No one needs to become overly alarmed about the possibilities I've outlined above either. The best advice is to simply update your password if you're concerned.
For those who understand data breaches and how searching the dark web for compromised usernames/passwords works, in case it eases your concerns, I'm not seeing ricksteves.com on the https://haveibeenpwned.com website noted above. That's not foolproof and that service may not be comprehensive, but it shows that our website hasn't been a part of known data breaches. There are other services that provide similar information that can help indicate where a breach came from as it relates to your data. By all means, if you ever saw ricksteves.com, please let me know directly instead of posting in a forum where I may not see it! And in case it isn't obvious at this point, this reply indicates that to our best knowledge RSE has not been involved in any breaches regarding your RS Account.
I'm happy to review your specific case in case there is a sniff of a problem on our side. As much as I'm trying to temper gut reactions in this thread -- especially as Apple/Google/Msft/Safari/Chrome/Edge/Firefox step up their efforts to notify you of compromised logins -- I do take security issues seriously (as does the rest of our IT team and management). If you'd like to send me a screenshot of what you're seeing -- and make sure the screenshot includes what web page you're on including the URL at the top plus the entirety of the message/window that pops up (do your best if on your phone) -- you may do so at webmaster at ricksteves dot com. Please provide any other specific context around what you were doing at the time you saw the message.
Thanks everyone!
Sorry if it got buried as my last post was long, but I would like to see screenshots from a few of those reporting this if you're willing to email one to me.
Sorry if it got buried as my last post was long, but I would like to see screenshots from a few of those reporting this if you're willing to email one to me.
I get one of those messages every 2 weeks! How does one go about sending something to the Webmaster?
I would do that if I could, but I did not think to take a screenshot at the time I saw the notification. I cannot reproduce it because I changed my password right away. And I cannot recall the exact wording, but I understood it to mean that my old password had been discovered and was for sale on the dark web. Maybe they got it from my email that I use for my account here—- which I rarely check because I only use it for travel forums like this one. I haven’t posted on TripAdvisor for years though.
How does one go about sending something to the Webmaster?
https://www.ricksteves.com/forms/contact-webmaster
His email is at the bottom.
