Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
much thanks to @gary_host_laptop for the logo design :)
Stealer logs is pretty bad. Very bad to be fair. It means your computer is infected and have stolen all your saved passwords.
Reinstall your operating system completely. Take note of your accounts and change all their passwords. Start with your email address as its the most important one.
No, it was steam that was breached. Haveibeenpwned notices you about major central data leaks. It is not an anti-malware
This breach is worse than just a website's database being leaked. These are info-stealer malware logs. Meaning that you had malware on one of your devices that recorded you typing your credentials into websites and then the logs of that malware were publicly leaked.
Before changing all of your passwords (and setting up a password manager if you don't already use one) you need to identify which of your devices was compromised and wipe it.
If you change all your passwords from the compromised device then the malware will just record all of your new passwords.
Do you have a clue about what haveibeenpwned is?
How would one identify which device was compromised?
Assume all of them are infected.
Turn off your computer and make sure it powers down. Toss it in a 43-foot hole in the ground. Bury it completely rocks and boulders should be fine. Then burn any clothes you may have worn any time you were onliiiine
Wait a sec my grandmother is calling me about some pictures I apparently sent her
Instructions unclear, I don't speak Swahili
That advice is a bit too weird;)
Which password manager is good? I use Bitwarden but it would take forever to change all my passwords inside of it
Bitwarden have a good balance of security, price and convenience. If you want more control and less convenience, KeePass.
Keepassxc
The best IMO because it's just a client you install on a device which reads an encrypted data file you can sync how you like.
This way it's not a hoard like lastpass or bitwarden.
Bitwarden.
Assuming this email is legit, the best thing that you can do is change as many of your passwords as possible to be unique and complex. You may also want to consider deleting old email addresses and getting new ones. Alternatively you can separate your emails addresses by having one for signing up for spammy services, one for personal stuff, one for work/school, etc. Try not to have much overlap between them all.
Edit: I also highly recommended using a temporary email for signing up for stuff whenever possible. I always use this one , but there are plenty of others too.
I kinda like https://yopmail.com/ as it's much more customizable
I like grr.la because I can sign in into the services with any random name @grr.la before opening the temporarily mail site, and sometimes I find out that it wasn't required to confirm the mail, saving some time
For those wondering what this is Troy Hunter (HIBP founder) wrote an article on this new feature.
That’s a great pseudonym, if it is one. Troy Hunter, i.e. hunter of trojans. Fantastic
Password manager, and use different randomly generated passwords.
The real danger is having the same password everywhere.
Also pay attention to where you save your payment info.
Everything I do online is through Privacy.com, with limits for each vendor. My amazon gets hacked? Most I'm out is $100, steam gets hacked, there goes $60. A subscription tries to double charge, lol no. Free trial wants to auto-bill me after 7 days, its not happening. Funneling everything through them isn't 100%, but at least they're not paypal, I get notified when ever even a 1 cent charge happens and I'm not leaving my bank card on a dozen random sites I'll eventually loose track of.
Sadly I don't know of an alternative operating in Europe.
Revolut? I think you can create cards the same way
I do this. However I also hit the limit of disposable cards.
Turns out to not be as many as I would have thought.
Didn't know that! Not using it but I heard you can then they decided to ban more secure custom ROMs 🤷♂️
That's unfortunate.
Another thing you can do is to keep available funds on whatever card you use online low. If there's only 1 to 2k on the card, yes it'll suck, but it won't be as impactfull as your life savings.
You a might also consider credit card with a small limit (1k or less) and set auto pay to "pay full balance" every month. Avoid interest like the plague, (those cards have insane interest rates over 20%), but if you're always paying it off in full, there's no interest to pay. If I can't pay the credit card off in full (and I mean the full limit) when I "swipe" it, I pretend it does not exist. None of the "I get played next week, so I can pay it off then" - nope, don't go there.
Supposedly credit cards have better fraud protection than a debit, but maybe that's just another one of our many "Freedom" problems.
The main thing is you're separating the random websites from the majority of your funds to limit how much can be taken. If there's a problem, I'm dealing with Privacy.com and a couple hundred bucks and can still pay the bills. I'm not trying to convince ebayclone#71 and my bank I didn't place an order for 10000 waffle makers before the lights shut off.
And of course, I'm just some rando on the internet, not an actual expert. Not even in same country as you, so take that for what it is.
What if my chosen service doesn't allow me to change passwords that frequently?
It's not that you change the passwords for each website often, it's that you use a different password for each site. That way if one site gets hacked and your password is leaked, it can't be used to access your accounts on other sites.
Also a note that captial one has a similar service for their own credit cards. Def not as good as privacy.com, but still useful.
Good to know.
Start changing passwords mon ami
Get a password manager and just start going from site to site and change em up. Use strong ones and store them in the pass manager. Start with critical ones like banks, email accounts, and government stuff, and then keep going..
Bitwarden is great, you can also optionally self-host it with vaultwarden.
I personally also suggest KeePass2 for an offline vault storage that you can use with Syncthing to synchronize so the data never leaves your devices.
It's worth mentioning that both these programs are subject to leaks in machines infected with malware like OP's was, so maybe if malware is a problem you deal with regularly, i suggest the online options.
Change your password, and hopefully you don't use the same password across multiple accounts. Since you're asking, I assume you do. (Not shaming, just informing)
It would be best practice to use a different email and password for every account you create, and enable MFA. Email aliases work great for this, and use unique randomly generated passwords for everything. A password manager will help you create, remember, and fill these fields for you so its not cumbersome. There are many good ones, I personally recommend Bitwarden. You can get pretty far with their free version, but I recommend paying to get the authenticator built in, so you can auto fill MFA codes.
If you can't afford this, or want to keep the codes separate (not all your eggs in one basket) then download the Aegis authenticator app. Its free and very good.
There was a steam breach too, i changed my email and password for steam as well
Can you provide your source (no pun intended)?
That would mean you have a virus on your PC not that Steam DB has been breached, right?
If there is a virus on someone's pc, the antimalware software would notice it, not have i been pwned. Idk who bought this bs up. Steamdb WAS breached. Not my pc was compromised, but Steam
I have not read the whole article because I'm to lazy but here is a picture from the article you posted. Antimalware is not perfect and cannot detect every threat on your PC. There have been cases of game developer accounts being hacked and then updates being pushed through those hacked accounts including stealer malware / spyware which would then be installed on your PC, which is not a Steam Database breach but a Steam Developer Account Hack. Maybe Steam should have stopped those updates IDK I'm no malware expert. EDIT: Btw. the last Steam Database breach I could find in my 2 mins of searching the web was in 2015.
That didn't happen in my case, since i do not update my games, as they are mostly downloaded from fitgirl repacks
I think you missed the entire premise of the article you linked - the "stealer logs" mean someone logged into your account on a system that had been breached (infected with malware), and the "stealer" "logged" those credentials.
Also, SteamDB and Steam are two very different things. SteamDB is an independent third party offering that just tracks Steam data via their API.
Steam notifies about every login attempt and 2FA is also set. No way they could do that without me noticing. Haveibeenpwned only reports central database leaks, not user-side leaks
Nasty stuff, stealer logs. I've written about them and loaded them into Have I Been Pwned (HIBP) before but just as a recap, we're talking about the logs created by malware running on infected machines. You know that game cheat you downloaded? Or that crack for the pirated software product? Or the video of your colleague doing something that sounded crazy but you thought you'd better download and run that executable program showing it just to be sure? That's just a few different ways you end up with malware on your machine that then watches what you're doing and logs it, just like this:
These logs all came from the same person and each time the poor bloke visited a website and logged in, the malware snared the URL, his email address and his password. It's akin to a criminal looking over his shoulder and writing down the credentials for every service he's using, except rather than it being one shoulder-surfing bad guy, it's somewhat larger than that.
Seriously, read the article you posted. YOU probably attempted to log in and the virus on YOUR computer you seem to be in HEAVY denial about captured your info. You're lucky the 2FA probably prevented the people who are are logging activity from your PC from accessing your Steam account.
The article you posted clearly defines stealer logs, and the email you screenshot clearly says your info is in a stealer log breach - I don't know what more to say. You clearly have all the information you need, you just don't want to process it.
YOU LOGGED INTO STEAM ON AN INFECTED COMPUTER AND ARE PROBABLY STILL USING THAT SYSTEM. YOUR COMPUTER HAS A VIRUS.
Change your password(s).
