I'm curious about how/where you were able to see the list.

I've got my sources. ;o)

It was actually another letterboxer who brought it to my attention. I'm not sure if he/she would prefer to stay anonymous or not so I'll let them post if they want. As I understand it, they signed up for a service that monitors for data breaches and received a notification that an email address they used showed up in a recent data dump. They contact me about the breach (along with a link to the list) at first thinking AQ had been breached, but it was actually LbNA's data.

I'm assuming they contacted LbNA about the problem too, but they could be on vacation for all I know. I'm not sure when they'll learn about the breach or warn everyone, but it seemed important enough that I let everyone know ASAP. I just found out about it minutes before I posted my announcement--I happened to be online when the information was sent to me. (Good thing I wasn't hiking!)

So that's how the information came into my hands. I don't think the letterboxer who sent me the information really knows anything about how or when the hack happened either--just that information is floating out there on the web where it's not supposed to be.

-- Ryan

I'm not sure when they'll learn about the breach or warn everyone, but it seemed important enough that I let everyone know ASAP.

I posted a link to this thread, and cut and paste the first message, to the letterbox-usa yahoo group. I do not know if you have to be an AQ member to click thru the link, but the first message should be sufficient warning.

Stupid but honest question... What if you genuinely can't remember if you have a lbna account? Will trying to figure out do any harm?

I do not know if you have to be an AQ member to click thru the link...

Not for the public boards. Private boards require someone to be logged in to read, but this board is public so not a problem. =)

What if you genuinely can't remember if you have a lbna account? Will trying to figure out do any harm?

It won't do any harm, but I've imported the LbNA data into AQ and am cross-referencing the two to send an AQ mail message to anyone with a compromised password that they're using on AQ. If you have an AQ mail message, it applies to you. If you don't... you're in the clear. All LbNA accounts appear to be compromised, but if you have an account there and the password works nowhere else, you probably don't have to worry about it.

-- Ryan

I can't believe they're still storing passwords. But... Can you send me mine? Lol

Thanks for letting me know what fun things hacking LBNA can do. It just seems crazy.

I am not sure if I have and LBNA account either. Is this cross reference and email something you will be doing or something you've already done?

Is this cross reference and email something you will be doing or something you've already done?

When I started the thread, it was something I was going to do. As of right now, it's already done. If you didn't get an AQ mail from me about the problem, the passwords on the two accounts are different. (Or maybe you're using different email addresses or trail names on the two sites so AQ wasn't able to match the accounts.)

-- Ryan

There have been incidences of "stalking" on AQ before--and being able to log into your account might be a big perk if you want to stalk someone.

Wow. Just wow. Never thought about this...

Thank you. You're awesome. :)

I use different passwords for every website I know

Not everyone has your memory.

That's why I use KeePassX. It stores passwords in a local, encrypted database. It is available for MS Windows, Macintosh and (my favorite) Linux. For most Linux distributions you should install it from your Software Center (or whatever it is called on your distribution).

Ryan, we didn’t get an AQ message. However we used same email and password (now changed) on both accounts. Thanks for the heads up on the board.

And, more dangerous, they might be able to go through the list and try hacking into bank accounts...

Let's face it, anyone with any online presence to speak of these days has waaaaay too many passwords to remember. Here's what I do: For sites that are truly important, such as bank accounts, brokerage accounts, etc., I not only use a different password for each, I use a different style of password, doesn't even look like it came from the same person. But for the relatively unimportant sites, no money involved, sometimes you wonder why they bother, for those I'll use "canned" passwords and often the same password on a bunch of sites. I have a document on my 'puter where I write my passwords down -- protected by password, of course -- but for some of these sites it isn't even worth opening that document up and editing it, I'll just use the same ol' same ol' that I've used for a dozen other sites.

With no idea how these hackers operate or distribute their findings...

I'm betting they sell them.

Ryan, we didn’t get an AQ message.

Hmm.... you should have. Your email and trailname are the same on both accounts, so AQ should have been able to cross-reference them.

BUT--if you had already changed your password before I finished the script that cross-referenced them, you wouldn't have gotten an email because by that point, the passwords were different. Those who changed their passwords the first few hours after I posted about the breach wouldn't have gotten the message--they didn't need it by then!

So if I had to guess, you were probably one of those people. =)

-- Ryan

I think if someone hacks MY bank accounts, they'll see how much of a waste of time it was .....

That'll teach em!!

jaxx

Same passwords on both accounts. Just changed LbNA but unable to change atlas quest keeps going to page telling me Whoops must be a bug, sending notice. Tried several times. What am I doing wrong??

They contact me about the breach (along with a link to the list) at first thinking AQ had been breached, but it was actually LbNA's data.

Wait, so they protect your data by sending the entire list to everyone who pays them??? Where do I sign up??

Sorry. I was referring to AQ. Not LBNA. When I access the Account Info page on my AQ account using Chrome, it shows as unsecured. If I access it using IE, I get a message that it is only displaying secure items and do I want to display all. I haven't tried any other browsers.

Thank you for taking the time to help people protect their accounts.

When I access the Account Info page on my AQ account using Chrome, it shows as unsecured. If I access it using IE, I get a message that it is only displaying secure items and do I want to display all. I haven't tried any other browsers.

FWIW, Firefox version 43.0.1 shows that page as completely secure.

Me too. I'm getting a bug as well.

I also didn't get an AQ mail about it. I suspect that my email/PW are the same for both, as I tend to use the same password for sites that have no financial or personal data tied to them...but maybe the email address isn't the same...not sure....

Just changed LbNA but unable to change atlas quest keeps going to page telling me Whoops must be a bug, sending notice.

Sorry about that. Late last night I decided to make some updates to make the passwords on AQ more secure and I forgot to update one of the files I changed. Even though--as far as I know--AQ's database hasn't been compromised, I did a bit more research about securely storing passwords and realized that there was still room for improvement. It should be working now. Sorry for the trouble!

-- Ryan

When I access the Account Info page on my AQ account using Chrome, it shows as unsecured. If I access it using IE, I get a message that it is only displaying secure items and do I want to display all.

Hmm.... I'm at a loss of what to tell you. I just tried it with both Chrome and IE and they both seem to work fine on my system without any security errors. Can you click on the lock or something and see exactly which elements are showing up as unsecured?

I don't think there's a problem on AQ, but I'm wondering if maybe there is a problem with your computer, like one of those "adware" things that automatically put links into random pages on the web which might not be secure. But maybe it would help if I could figure out which elements on the page you see are supposedly not secure.

-- Ryan

FWIW, Firefox version 43.0.1 shows that page as completely secure.

Ditto for FF v 47.0

Yes - changed it right away. Thanks for being so quick on this.

Thank you for taking the time to help people protect their accounts.

I agree. Impressive response to any problem, much less an exogenous one.

much less an exogenous one.

You made me use a dictionary today. =)

-- Ryan

You made me use a dictionary today. =)

No doubt online, and not an OED in your pack :-)

Astonishingly, I have never added password encryption to LbNA. Now that I know someone cares enough to hack the database, I will get off my butt and work on that. :)

Choi

The hackers emailed it to some of the LbNA members. Not sure how wide a distribution it had, but I didn't get a copy.

Choi